From 540c4e542ec734834c598f4a1fc99c922ca57ac0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:26 -0700 Subject: [PATCH 01/21] [threat-actors] Add Anonymous64 --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cc95b8f..f6f4b13 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16987,6 +16987,20 @@ }, "uuid": "f6134b6c-56f1-4eda-be0f-79411d627f19", "value": "TaskMasters" + }, + { + "description": "Anonymous 64 is a group accused by China's national security ministry of attempting to gain control of web portals, outdoor electronic screens, and network television. The Ministry of State Security claims that Anonymous 64 is linked to a cyber unit within Taiwan's defense ministry and identifies three active-duty military personnel as its members. The MSS alleges that the group is involved in an influence operation within China, using hacktivism as a cover. The accusations suggest that Anonymous 64 engages in sabotage activities, prompting authorities to call for public reporting of such actions.", + "meta": { + "country": "TW", + "refs": [ + "https://www.theregister.com/2024/09/25/china_anonymous_64_taiwan_accusations/" + ], + "synonyms": [ + "Anonymous 64" + ] + }, + "uuid": "94f0fd5e-68a7-458a-bb5f-f2f4e5230fcc", + "value": "Anonymous64" } ], "version": 318 From 5c0ec348c9281f6f7339a91654717068bed8ddb5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:26 -0700 Subject: [PATCH 02/21] =?UTF-8?q?[threat-actors]=20Add=20Asnar=C3=B6k?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f6f4b13..f101a85 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17001,6 +17001,20 @@ }, "uuid": "94f0fd5e-68a7-458a-bb5f-f2f4e5230fcc", "value": "Anonymous64" + }, + { + "description": "Asnarök is a threat actor that exploited CVE-2020-12271 and utilized command injection privilege escalation to gain root access to devices and install the Asnarök Trojan and demonstrated significant changes in TTPs, including the deployment of a web shell that did not reach out to external C2 for commands. X-Ops identified a patient-zero device linked to the attack and observed the use of an IC.sh script that stole local user account data. The actor's activities were linked to a broader pattern of malicious exploit research and targeted vulnerabilities disclosed by bug bounty researchers.", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/", + "https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/" + ], + "synonyms": [ + "Personal Panda" + ] + }, + "uuid": "4e26b4ac-5530-428b-8694-3dd6d24ee286", + "value": "Asnarök" } ], "version": 318 From 2b94de3f18329f89708a55c3e13816e234d474c0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:26 -0700 Subject: [PATCH 03/21] [threat-actors] Add Shahid Hemmat --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f101a85..19d1f46 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17015,6 +17015,18 @@ }, "uuid": "4e26b4ac-5530-428b-8694-3dd6d24ee286", "value": "Asnarök" + }, + { + "description": "Shahid Hemmat is an IRGC-CEC affiliated hacking group linked to cyberattacks targeting U.S. critical infrastructure, including the defense industry and international transportation sectors. The group has been implicated in the hack of a booster station at the Municipal Water Authority in Aliquippa, Pennsylvania, which disrupted drinking water supply. Key figures within Shahid Hemmat include Manouchehr Akbari, Amir Hossein Hoseini, Mohammad Hossein Moradi, and Mohammad Reza Rafatnejad. The U.S. government is offering a $10 million reward for information on these individuals.", + "meta": { + "country": "IR", + "refs": [ + "https://securityonline.info/shahid-hemmat-hackers-10m-reward-offered-by-us/", + "https://www.bitdefender.com/en-us/blog/hotforsecurity/us-offers-10-million-bounty-for-members-of-iranian-hacking-gang/" + ] + }, + "uuid": "ae17fcf4-1335-4dec-9976-e26d2e5f7290", + "value": "Shahid Hemmat" } ], "version": 318 From e464c0c5c216672df5fac520973b0c4540f52779 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:26 -0700 Subject: [PATCH 04/21] [threat-actors] Add RipperSec --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 19d1f46..0a2f4d9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17027,6 +17027,19 @@ }, "uuid": "ae17fcf4-1335-4dec-9976-e26d2e5f7290", "value": "Shahid Hemmat" + }, + { + "description": "RipperSec is a pro-Palestinian, likely Malaysian hacktivist group created in June 2023, known for conducting DDoS attacks, data breaches, and defacements primarily targeting government and educational websites, as well as organizations perceived to support Israel. The group has claimed 196 DDoS attacks, with a significant portion directed at Israel, and utilizes a tool called MegaMedusa for their operations. RipperSec operates on Telegram, where it has amassed over 2,000 members, and collaborates with various like-minded hacktivist groups. Their attack strategy relies heavily on community involvement rather than sophisticated infrastructure.", + "meta": { + "country": "MY", + "refs": [ + "https://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/", + "https://www.radware.com/blog/security/2024/08/megamedusa-rippersec-public-web-ddos-attack-tool/", + "https://www.cyjax.com/the-hacktivist-response-to-uk-foreign-policy/" + ] + }, + "uuid": "70d09d1f-15fb-4003-bd9a-b52250d9d57e", + "value": "RipperSec" } ], "version": 318 From 188a3cdd5d207d22d87315d3105f3afbdcad000f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:27 -0700 Subject: [PATCH 05/21] [threat-actors] Add LulzSec Black --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0a2f4d9..50bfb16 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17040,6 +17040,16 @@ }, "uuid": "70d09d1f-15fb-4003-bd9a-b52250d9d57e", "value": "RipperSec" + }, + { + "description": "LulzSec Black is a hacktivist group that has claimed responsibility for coordinated DDoS attacks against Cyprus' government and critical infrastructure in response to the country's support for Israel. They have also announced cyberattacks targeting the UAE, including breaches of a government website and Alfa Electronics, asserting these actions are in support of Palestine. The group has indicated intentions for further attacks and has not provided independently verifiable evidence of their claims. Their operations reflect a focus on disrupting services and compromising data as part of their political agenda.", + "meta": { + "refs": [ + "https://dailydarkweb.net/lulzsec-black-claims-cyberattacks-on-emirati-government-and-other-sector-targets/" + ] + }, + "uuid": "a86b67d2-fc94-4c1b-91e1-949c969176ed", + "value": "LulzSec Black" } ], "version": 318 From d9f98b52dad98049e191316dca68822eec814d96 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:27 -0700 Subject: [PATCH 06/21] [threat-actors] Add OverFlame --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 50bfb16..e07cb1c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17050,6 +17050,17 @@ }, "uuid": "a86b67d2-fc94-4c1b-91e1-949c969176ed", "value": "LulzSec Black" + }, + { + "description": "OverFlame is a hacktivist group known for executing DDoS attacks and website defacements, primarily targeting government institutions and corporations in Europe and North America. The group has been involved in coordinated attacks alongside other pro-Russian threat actors, such as NoName057and the People’s Cyber Army, often motivated by anti-government and anti-corporate sentiments. OverFlame operates through underground forums and encrypted messaging platforms to coordinate attacks and recruit members. Their activities have included targeting financial services, political parties, and educational institutions, demonstrating a focus on disrupting critical infrastructure.", + "meta": { + "refs": [ + "https://socradar.io/biggest-education-industry-attacks-in-2024/", + "https://www.scworld.com/brief/austria-subjected-to-pro-russian-ddos-intrusions" + ] + }, + "uuid": "8bd29f1a-ea33-49c2-a783-42cd2a193f83", + "value": "OverFlame" } ], "version": 318 From f74560c80ff46bc349da26ec899b34e9cbc6c972 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:27 -0700 Subject: [PATCH 07/21] [threat-actors] Add UNC5820 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e07cb1c..d45caec 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17061,6 +17061,16 @@ }, "uuid": "8bd29f1a-ea33-49c2-a783-42cd2a193f83", "value": "OverFlame" + }, + { + "description": "UNC5820 is a threat actor exploiting the CVE-2024-47575 vulnerability in Fortinet's FortiManager, allowing them to bypass authentication and execute arbitrary commands. They have been observed exfiltrating configuration data, user information, and FortiOS256-hashed passwords from managed FortiGate devices. While the actor has staged and exfiltrated sensitive data, there is currently no evidence of lateral movement or further compromise of additional environments. Mandiant has not determined whether UNC5820 is state-sponsored or identified its geographic location.", + "meta": { + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/" + ] + }, + "uuid": "e13e36e7-a75b-42fa-8d51-35f9eeafebfc", + "value": "UNC5820" } ], "version": 318 From 2a865b8c07b18f3371457e8f929d36ae2e41cca4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:27 -0700 Subject: [PATCH 08/21] [threat-actors] Add Water Makara --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d45caec..f141011 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17071,6 +17071,16 @@ }, "uuid": "e13e36e7-a75b-42fa-8d51-35f9eeafebfc", "value": "UNC5820" + }, + { + "description": "Water Makara employs the Astaroth banking malware, which features a new defense evasion technique. Their spear phishing campaigns exploit human error by targeting users to click on malicious files. To mitigate these threats, organizations should implement regular security training, enforce strong password policies, utilize multifactor authentication (MFA), keep security solutions updated, and apply the principle of least privilege.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html" + ] + }, + "uuid": "54bc063d-fc4e-4076-a282-cdb98480da2a", + "value": "Water Makara" } ], "version": 318 From dd4249a17c282cccc1c9a5e1345ee0d0b9b8d66d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:27 -0700 Subject: [PATCH 09/21] [threat-actors] Add UAC-0215 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f141011..4c43c22 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17081,6 +17081,17 @@ }, "uuid": "54bc063d-fc4e-4076-a282-cdb98480da2a", "value": "Water Makara" + }, + { + "description": "UAC-0215 is an APT group that has orchestrated a phishing campaign targeting public institutions, major industries, and military units in Ukraine, utilizing rogue RDP files to gain unauthorized access. The malicious emails are designed to appear legitimate, enticing recipients to open attachments that connect their systems to the attacker's server, allowing extensive access to local resources. CERT-UA has identified this activity as high-risk and has advised organizations to block RDP files at mail gateways and restrict RDP connection capabilities. The campaign's geographical footprint suggests a potential for broader cyberattacks beyond Ukraine.", + "meta": { + "refs": [ + "https://cyble.com/blog/phishing-campaign-targeting-ukraine-uac-0215/", + "https://cert.gov.ua/article/6281076" + ] + }, + "uuid": "0debc8ab-1449-4915-aa33-f6a54df2b2d7", + "value": "UAC-0215" } ], "version": 318 From 65549d89b482a0d1bee7a6e379a5f90752267d40 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:27 -0700 Subject: [PATCH 10/21] [threat-actors] Add IcePeony --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4c43c22..6bc7b93 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17092,6 +17092,17 @@ }, "uuid": "0debc8ab-1449-4915-aa33-f6a54df2b2d7", "value": "UAC-0215" + }, + { + "description": "IcePeony is a China-nexus APT group that has been active since at least 2023, targeting government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam. They primarily employ SQL injection techniques to exploit vulnerabilities in publicly accessible web servers, subsequently installing web shells or executing malware like IceCache to facilitate credential theft. IcePeony operates under harsh work conditions, potentially adhering to the 996 working hour system, and shows a particular interest in the governments of Indian Ocean countries. Their activities suggest alignment with China's national interests, possibly related to maritime strategy.", + "meta": { + "country": "CN", + "refs": [ + "https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html" + ] + }, + "uuid": "793280d5-d28c-4d4a-87b6-487ba9d9fbd1", + "value": "IcePeony" } ], "version": 318 From fe24517d4ed5b03b4134071460a96fba2750d17f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:27 -0700 Subject: [PATCH 11/21] [threat-actors] Add OilRig aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6bc7b93..68e64ca 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4052,7 +4052,8 @@ "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/", "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", - "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" + "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/", + "https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html" ], "synonyms": [ "Twisted Kitten", @@ -4067,7 +4068,8 @@ "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", - "TA452" + "TA452", + "Earth Simnavaz" ], "targeted-sector": [ "Chemical", From a474eabc0c999367a1737eb1b32952447e72e48a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:27 -0700 Subject: [PATCH 12/21] [threat-actors] Add RomCom aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 68e64ca..04127c1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11585,10 +11585,12 @@ "https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/", "https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", - "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html" + "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", + "https://blog.talosintelligence.com/uat-5647-romcom/" ], "synonyms": [ - "Storm-0978" + "Storm-0978", + "UAT-5647" ] }, "uuid": "ba9e1ed2-e142-48d0-a593-f73ac6d59ccd", From ac7d60fe03298b1a4d1363b72d23c5be76ca030c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:27 -0700 Subject: [PATCH 13/21] [threat-actors] Add AridViper aliases --- clusters/threat-actor.json | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 04127c1..9fd47e4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6108,6 +6108,7 @@ "value": "APT6" }, { + "description": "AridViper is a state-sponsored APT primarily targeting military personnel, journalists, and dissidents in the Middle East, with a focus on Israel and Palestine. The group employs custom-developed mobile malware, including variants like AridSpy, GnatSpy, and Micropsia, often delivered through spear-phishing emails and deceptive applications. Their operations involve sophisticated social engineering tactics, including the use of fake social media profiles and weaponized apps masquerading as legitimate services. AridViper's activities are characterized by a blend of technical sophistication and psychological manipulation, aiming to exfiltrate sensitive data from compromised systems.", "meta": { "cfr-suspected-state-sponsor": "Palestine", "cfr-suspected-victims": [ @@ -6145,15 +6146,13 @@ "https://www.threatconnect.com/blog/kasperagent-malware-campaign/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf", - "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" + "https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/" ], "synonyms": [ "Desert Falcon", - "Renegade Jackal", - "DESERTVARNISH", - "UNC718", "Arid Viper", - "APT-C-23" + "APT-C-23", + "Bearded Barbie" ] }, "uuid": "0cfff0f4-868c-40a1-b9b4-0d153c0b33b6", From 1f4a77c70276b334478cbb7aba2545c4dd622486 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:28 -0700 Subject: [PATCH 14/21] [threat-actors] Add APT10 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9fd47e4..395f305 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1037,7 +1037,8 @@ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", - "https://www.crowdstrike.com/blog/two-birds-one-stone-panda/" + "https://www.crowdstrike.com/blog/two-birds-one-stone-panda/", + "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks" ], "synonyms": [ "STONE PANDA", @@ -1052,7 +1053,8 @@ "ATK41", "G0045", "Granite Taurus", - "TA429" + "TA429", + "Cicada" ] }, "related": [ From 6e3656ae6d7d58d81ed3998bd82234f5dc847cda Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:28 -0700 Subject: [PATCH 15/21] [threat-actors] Add DarkRaaS --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 395f305..afe7479 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17108,6 +17108,18 @@ }, "uuid": "793280d5-d28c-4d4a-87b6-487ba9d9fbd1", "value": "IcePeony" + }, + { + "description": "DarkRaaS is a threat actor specializing in selling unauthorized access to various organizations' systems and networks across multiple countries, with a recent focus on targets in Israel, UAE, Turkey, and South America 4 9 20. The group has been operating for at least six years and typically offers access to sensitive data, internal systems, and infrastructure, with prices ranging up to $25,000 for VPN access 4 9. Their targets span various sectors including government institutions, educational facilities, oil and gas companies, and IT organizations, often claiming to have access to multiple terabytes of sensitive data 7 19.", + "meta": { + "refs": [ + "https://cyberpress.org/darkraas-ransomware-oil-gas-company/", + "https://cyberpress.org/darkraas-ransomware-intelligence-data/", + "https://dailydarkweb.net/darkraas-allegedly-breached-a-major-oil-and-gas-company/" + ] + }, + "uuid": "0c18304e-e65f-4881-94e1-cc2d621ec563", + "value": "DarkRaaS" } ], "version": 318 From d44948b2a9be3e1f1296c914ad4d4d5749843bec Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:28 -0700 Subject: [PATCH 16/21] [threat-actors] Add Blackmeta --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index afe7479..cc3548a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17120,6 +17120,23 @@ }, "uuid": "0c18304e-e65f-4881-94e1-cc2d621ec563", "value": "DarkRaaS" + }, + { + "description": "BLACKMETA is a pro-Palestinian hacktivist group that has claimed responsibility for a series of DDoS attacks and data breaches targeting organizations perceived as supportive of Israel, including the Internet Archive and various entities in the UAE and Saudi Arabia. The group employs DDoS attacks, website defacement, and data exfiltration, with motivations rooted in political ideology and retribution for perceived injustices against Palestinians. Their operations have been linked to a Telegram channel, where they publicize their activities and collaborate with other hacktivist groups. Additionally, they have been attributed to significant cyber disruptions, including a 100-hour DDoS campaign against a UAE bank, showcasing their operational capabilities.", + "meta": { + "country": "PS", + "refs": [ + "https://thecyberexpress.com/sn-blackmeta-claim-snapchat-cyberattack/", + "https://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/", + "https://securityboulevard.com/?p=2033037", + "https://socradar.io/internet-archive-data-breach-and-ddos-attacks/" + ], + "synonyms": [ + "SN Blackmeta" + ] + }, + "uuid": "969753d8-3cc9-43a2-9b8d-753d2bb385b4", + "value": "Blackmeta" } ], "version": 318 From 858285d75e5064fa6785d3d3b35f40570628a941 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Nov 2024 10:43:29 -0700 Subject: [PATCH 17/21] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 332fdc6..36fc9aa 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *751* elements +Category: *actor* - source: *MISP Project* - total: *763* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] From 3eb859f62a7323ae6ed38df631589976dacd5f79 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Nov 2024 14:41:49 +0100 Subject: [PATCH 18/21] chg: [tidal] updated --- clusters/tidal-campaigns.json | 376 +- clusters/tidal-groups.json | 646 +++- clusters/tidal-references.json | 6404 ++++++++++++++++++++++++++------ clusters/tidal-software.json | 4365 +++++++++++++++------- clusters/tidal-tactic.json | 428 ++- clusters/tidal-technique.json | 331 +- 6 files changed, 9912 insertions(+), 2638 deletions(-) diff --git a/clusters/tidal-campaigns.json b/clusters/tidal-campaigns.json index 80be3e5..49f1a51 100644 --- a/clusters/tidal-campaigns.json +++ b/clusters/tidal-campaigns.json @@ -323,7 +323,7 @@ "value": "APT40 Recent Tradecraft" }, { - "description": "In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"APT41 DUST\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nIn July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]", "meta": { "campaign_attack_id": "C3049", "first_seen": "2023-03-21T00:00:00Z", @@ -337,7 +337,19 @@ }, "related": [], "uuid": "ea6266fd-50a7-4223-ade3-e60c3467f540", - "value": "APT41 2023-2024 Persistence & Exfiltration Activity" + "value": "APT41 2023-2024 Persistence & Exfiltration Activity (Deprecated)" + }, + { + "description": "[APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae) was conducted by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. [APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae) targeted sectors such as shipping, logistics, and media for information gathering purposes. [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) used previously-observed malware such as [DUSTPAN](https://app.tidalcyber.com/software/78454d3f-fa12-5b6f-9390-6412064d7c8d) as well as newly observed tools such as [DUSTTRAP](https://app.tidalcyber.com/software/ed72d5bb-2cf7-51a4-9d76-97fbd11c54d0) in [APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae).[[Google Cloud APT41 2024](https://app.tidalcyber.com/references/33bb9f8a-db9d-5dda-b4ae-2ba7fee0a0ae)]", + "meta": { + "campaign_attack_id": "C0040", + "first_seen": "2023-01-31T23:00:00Z", + "last_seen": "2024-06-30T22:00:00Z", + "source": "MITRE" + }, + "related": [], + "uuid": "b90adbbd-0fe3-5c5f-9433-543a5f01b0ae", + "value": "APT41 DUST" }, { "description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)] The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", @@ -589,6 +601,43 @@ "uuid": "c5d35d8d-fe96-5210-bb57-4692081a25a9", "value": "C0033" }, + { + "description": "Actors associated with the North Korean threat group Citrine Sleet were observed exploiting a zero-day vulnerability (CVE-2024-7971) in Chromium web browser software to achieve remote code execution in target environments. Actors were observed delivering FudModule, an advanced rootkit tool, during the attacks.[[Microsoft Security Blog August 30 2024](/references/d7ef2e80-30c0-47ce-91d4-db1690c6c689)]", + "meta": { + "campaign_attack_id": "C3055", + "first_seen": "2024-08-19T00:00:00Z", + "last_seen": "2024-08-30T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a38ef717-4427-4aa0-9666-bb97c6ff45f3", + "b9c973c9-062d-4cbd-8bfe-98d0b4e547eb", + "a98d7a43-f227-478e-81de-e7299639a355", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "3ecdd876-7e93-4877-9032-49170c65a864", + "value": "Citrine Sleet Chromium Zero-Day Exploit Activity (CVE-2024-7971)" + }, + { + "description": "Microsoft researchers observed threat actors, believed to be members of the Citrine Sleet aka DEV-0139 group, launch an apparently targeted attack against an organization in the cryptocurrency industry.[[Microsoft DEV-0139 December 6 2022](/references/f9c070f1-aa83-45a3-bffb-c90f4caf5926)]", + "meta": { + "campaign_attack_id": "C3056", + "first_seen": "2024-06-18T00:00:00Z", + "last_seen": "2022-10-19T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "dd4f230d-198b-45d5-b0f9-55ee725cd836", + "value": "Citrine Sleet Cryptocurrency Industry Attack" + }, { "description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)] Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]\n\n**Related Vulnerabilities**: CVE-2023-34362[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]", "meta": { @@ -692,9 +741,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2e5f6e4a-4579-46f7-9997-6923180815dd", - "2feda37d-5579-4102-a073-aa02e82cb49f" + "2e5f6e4a-4579-46f7-9997-6923180815dd" ] }, "related": [], @@ -719,6 +766,46 @@ "uuid": "1a2caf4c-658d-4117-a912-55f4d6bca899", "value": "Defense Sector Supply Chain Compromise by North Korea-Linked Actors" }, + { + "description": "Security researchers observed consistent adversary use of Web Distributed Authoring and Versioning (WebDAV) technology to host malicious files related to Emmenhtal (aka PeakLight), a stealthy loader malware that was then used to ingress various final malicious payloads, including DarkGate, Amadey, and SelfAU3.[[Sekoia.io Blog September 19 2024](/references/df9ff358-4d1e-4094-92cd-4703c53a384c)]", + "meta": { + "campaign_attack_id": "C3060", + "first_seen": "2023-12-01T00:00:00Z", + "last_seen": "2024-09-19T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "61085b71-eb19-46d8-a9e6-1ab9d2f3c08d", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "0ca317da-c8d6-4bd5-8c1e-5d581c9095ce", + "value": "Emmenhtal Loader Distribution Activity" + }, + { + "description": "ESET researchers observed cyberespionage activity that they linked to the FamousSparrow group, where actors used ProxyLogon and other vulnerability exploits to compromise hotel, legal, and other organizations worldwide and install a backdoor dubbed SparrowDoor, among other post-exploit tools.[[ESET FamousSparrow September 23 2021](/references/f91d6d8e-22a4-4851-9444-7a066e6b7aa5)]\n\nAt a similar time, Kaspersky researchers reported activity they linked to the GhostEmperor group, where ProxyLogon was also exploited and similar post-exploit tools were deployed, as well as a rootkit dubbed Demodex. The researchers further indicated that one of the command and control servers identified during their investigation correlated to the FamousSparrow activity that ESET had reported.[[Kaspersky September 30 2021](/references/8851f554-05c6-4fb0-807e-2ef0bc28e131)]", + "meta": { + "campaign_attack_id": "C3064", + "first_seen": "2021-03-03T00:00:00Z", + "last_seen": "2021-03-31T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "915e7ac2-b266-45d7-945c-cb04327d6246", + "e499005b-adba-45bb-85e3-07043fd9edf9", + "8b1cb0dc-dd3e-44ba-828c-55c040e93b93", + "5f5e40cd-0732-4eb4-a083-06940623c3f9", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "7fa02214-cd06-480d-af2d-5943be14c6bd", + "value": "FamousSparrow/GhostEmperor Vulnerability Exploit and Post-Compromise Activity" + }, { "description": "In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.\n\nThe actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.\n\nAdditional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf).[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]", "meta": { @@ -740,6 +827,25 @@ "uuid": "129ffe04-ea90-45d1-a2fd-7ff0bffa0433", "value": "FIN12 March 2023 Hospital Center Intrusion" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.", + "meta": { + "campaign_attack_id": "C3066", + "first_seen": "2024-06-27T00:00:00Z", + "last_seen": "2024-10-23T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "ef7715f8-526a-4df5-bad3-74b66170a52b", + "a98d7a43-f227-478e-81de-e7299639a355", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "50a2fbb8-e92e-4033-9dfc-d6b47aaab22d", + "value": "FortiManager Zero-Day Exploit Activity (CVE-2024-47575)" + }, { "description": "[Frankenstein](https://app.tidalcyber.com/campaigns/2fab9878-8aae-445a-86db-6b47b473f56b) was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including [Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207). The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.[[Talos Frankenstein June 2019](https://app.tidalcyber.com/references/a6faa495-db01-43e8-9db3-d446570802bc)]", "meta": { @@ -764,6 +870,23 @@ "uuid": "94587edf-0292-445b-8c66-b16629597f1e", "value": "FunnyDream" }, + { + "description": "In July 2024, Sygnia researchers reported about what they described as an \"updated infection chain\" used to deploy a variant of the Demodex rootkit, associated with the GhostEmperor (AKA FamousSparrow and Salt Typhoon) China-backed cyberespionage group. The attacks, which were discovered at an unspecified time in \"late 2023\", featured malware loading and obfuscation methods distinct from those observed during previous GhostEmperor activity in 2021.[[Sygnia July 17 2024](/references/7d30acb4-9600-46bd-a800-1c7e1149e9b4)]", + "meta": { + "campaign_attack_id": "C3065", + "first_seen": "2023-12-01T00:00:00Z", + "last_seen": "2023-12-31T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "c1447188-c034-408e-a827-55314c698827", + "value": "GhostEmperor/Demodex 2023 Compromise" + }, { "description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]", "meta": { @@ -781,6 +904,22 @@ "uuid": "1610257c-e2fc-4b05-bd63-5c2cbfb2342e", "value": "Healthcare Social Engineering & Payment Diversion Activity" }, + { + "description": "[HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for [HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the \"HomeLand Justice\" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.[[Mandiant ROADSWEEP August 2022](https://app.tidalcyber.com/references/0d81ec58-2e12-5824-aa53-feb0d2260f30)][[Microsoft Albanian Government Attacks September 2022](https://app.tidalcyber.com/references/d00399e9-a6c6-5691-92cd-0185b03b689e)][[CISA Iran Albanian Attacks September 2022](https://app.tidalcyber.com/references/c5d37bde-52bc-525a-b25a-e097f77a924a)] A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[[CISA Iran Albanian Attacks September 2022](https://app.tidalcyber.com/references/c5d37bde-52bc-525a-b25a-e097f77a924a)]\n\n", + "meta": { + "campaign_attack_id": "C0038", + "first_seen": "2021-05-01T04:00:00Z", + "last_seen": "2022-09-01T04:00:00Z", + "source": "MITRE", + "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee" + ] + }, + "related": [], + "uuid": "04329c95-d792-5333-b5bc-13ef2c545d7b", + "value": "HomeLand Justice" + }, { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { @@ -829,6 +968,29 @@ "uuid": "18cf25b5-ed3a-40f6-bf0a-a3938a4f8da2", "value": "Iranian APT Targeting U.S. Voter Data" }, + { + "description": "On October 16, 2024, U.S., Canadian, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA24-290A, which detailed attacks by unspecified \"Iranian cyber actors\", who used brute forcing and other credential access techniques to compromise various critical infrastructure entities, including organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The advisory indicated that the actors likely carried out the attacks in order to ultimately sell harvested credentials and victim network information \"to enable access to cybercriminals\".[[U.S. CISA Iranian Actors Critical Infrastructure October 16 2024](/references/a70a4487-eaae-43b3-bfe0-0677fd911959)]", + "meta": { + "campaign_attack_id": "C3063", + "first_seen": "2023-10-01T00:00:00Z", + "last_seen": "2024-02-07T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "51006447-540b-4b9d-bdba-1cbff8038ae9", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "15787198-6c8b-4f79-bf50-258d55072fee", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "291c006e-f77a-4c9c-ae7e-084974c0e1eb", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "c9c73000-30a5-4a16-8c8b-79169f9c24aa" + ] + }, + "related": [], + "uuid": "3b15979c-eabf-41d1-8930-f480106f8430", + "value": "Iranian Cyber Actors Compromise Critical Infrastructure Organizations" + }, { "description": "In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.\n\nThe actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.\n\nIn addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).\n\n**Related Vulnerabilities**: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)], CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]", "meta": { @@ -919,6 +1081,21 @@ "uuid": "86e3565d-93dc-40e5-8f84-20d1c15b8e9d", "value": "June 2023 Citrix Vulnerability Exploitation" }, + { + "description": "[KV Botnet Activity](https://app.tidalcyber.com/campaigns/c0c1054c-46f0-5221-9e7c-9907fe224947) consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. [KV Botnet Activity](https://app.tidalcyber.com/campaigns/c0c1054c-46f0-5221-9e7c-9907fe224947) was used by [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.[[Lumen KVBotnet 2023](https://app.tidalcyber.com/references/81bbc4e1-e1e6-5c93-bf65-ffdc9c7ff71d)] This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.[[DOJ KVBotnet 2024](https://app.tidalcyber.com/references/55cf0ced-0de3-5af8-b3e6-3c33bb445593)]", + "meta": { + "campaign_attack_id": "C0035", + "first_seen": "2022-10-01T04:00:00Z", + "last_seen": "2024-01-01T05:00:00Z", + "source": "MITRE", + "tags": [ + "b20e7912-6a8d-46e3-8e13-9a3fc4813852" + ] + }, + "related": [], + "uuid": "c0c1054c-46f0-5221-9e7c-9907fe224947", + "value": "KV Botnet Activity" + }, { "description": "In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.\n\nCitrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.\n\nAfter successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a).[[U.S. CISA LockBit Citrix Bleed November 21 2023](/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)] Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.[[Malwarebytes Citrix Bleed November 24 2023](/references/fdc86cea-0015-48d1-934f-b22244de6306)][[Cybernews Yanfeng Qilin November 2023](/references/93c89ca5-1863-4ee2-9fff-258f94f655c4)]", "meta": { @@ -1009,7 +1186,7 @@ "value": "Molerats 2021 Backdoor Delivery Campaign" }, { - "description": "This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Moonstone Sleet\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nThis object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", "meta": { "campaign_attack_id": "C3039", "first_seen": "2023-08-01T00:00:00Z", @@ -1023,7 +1200,7 @@ }, "related": [], "uuid": "6e63729b-6483-4a87-923c-2de179a32f17", - "value": "Moonstone Sleet Operations" + "value": "Moonstone Sleet Operations (Deprecated)" }, { "description": "[Night Dragon](https://app.tidalcyber.com/campaigns/85f136b3-d5a3-4c4c-a37c-40e4418dc989) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[[McAfee Night Dragon](https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]", @@ -1222,6 +1399,18 @@ "uuid": "71f6d3b1-c45e-421c-99cb-3b695647cf0b", "value": "Pikabot Distribution Campaigns 2023" }, + { + "description": "[Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) was distributed in [Pikabot Distribution February 2024](https://app.tidalcyber.com/campaigns/6e6fa0e4-18b3-5700-803d-b821dcdcd787) using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of [Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.[[Elastic Pikabot 2024](https://app.tidalcyber.com/references/6c222f33-f588-513c-9149-4c2308e05319)][[Zscaler Pikabot 2024](https://app.tidalcyber.com/references/9c1edd25-0fd0-5b5d-8091-68074da52593)]", + "meta": { + "campaign_attack_id": "C0036", + "first_seen": "2024-02-01T05:00:00Z", + "last_seen": "2024-02-01T05:00:00Z", + "source": "MITRE" + }, + "related": [], + "uuid": "6e6fa0e4-18b3-5700-803d-b821dcdcd787", + "value": "Pikabot Distribution February 2024" + }, { "description": "Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)][[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]", "meta": { @@ -1276,6 +1465,49 @@ "uuid": "a9bef150-04e6-41f2-9f94-069f9912f5e3", "value": "Quantum Ransomware Compromise" }, + { + "description": "On October 10, 2024, U.S. cybersecurity authorities and international patners released a joint Cybersecurity Advisory (JCSA-20241010-001), which detailed TTPs used by Russian Foreign Intelligence Service (SVR) actors (aka APT29, Midnight Blizzard, et al) during \"recent\" cyber operations. The advisory highlighted the variety of initial access and post-exploitation TTPs leveraged by SVR actors in both targeted and broad-based campaigns, and it also spotlighted that these actors have the \"capability and interest\" to exploit a relatively long list of publicly disclosed vulnerabilities, which are tagged to this object.[[FBI SVR Update October 10 2024](/references/63a76e88-2cd1-4cfa-bd96-4c1c3eebb39b)]", + "meta": { + "campaign_attack_id": "C3062", + "first_seen": "2021-01-01T00:00:00Z", + "last_seen": "2024-10-10T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "154bd6f0-9276-4ea5-946c-d35769d3ae4b", + "1ee3e55f-8f28-43c4-9f01-8a1bad68bd56", + "082b6886-9f4a-4237-82e4-827f6bab704e", + "7d158419-2d50-4688-aa4f-3b68a4d30870", + "5c7a911d-9f28-4f13-a6aa-c7a2e2b3ca55", + "46404b24-e38a-4fea-981b-cac3d3020c8b", + "9a0df3c4-2bbf-4192-a08a-ec27d9a4c5f1", + "e676e31d-d1d4-4a83-afa9-acf58be4f92a", + "49478e42-38e9-417c-9cf9-7f2c5d41bfa8", + "b7ad8591-fbff-46ec-8f4a-33f569cce2f9", + "5ef89937-dd06-4407-91d2-61db30c75934", + "72d3fa15-265b-4f4c-ba77-635d8531fe69", + "5bd6e9f7-78e3-4a8b-8734-c8c45b61a76d", + "b3665c87-5cb3-414e-8910-d4ffe53371c2", + "d1596bb2-b947-419a-b1f0-8f38e28eae09", + "49a674f7-c117-422e-8057-67bdfab2de9c", + "a4240ea5-b7d4-40a0-afbd-76fcf2e4ebbc", + "f97e406e-0d4b-4927-af03-8113a720417f", + "1b0321d7-4d9a-4977-bd2a-092c2693b328", + "cccb02c5-9791-4cb4-8fe8-0c5a6aea7dcf", + "15b77e5c-2285-434d-9719-73c14beba8bd", + "08809fa0-61b6-4394-b103-1c4d19a5be16", + "7551097a-dfdd-426f-aaa2-a2916dd9b873", + "a32a757a-9d6b-43ca-ac4b-5f695dd0f110", + "1b98f09a-7d93-4abb-8f3e-1eacdb9f9871" + ] + }, + "related": [], + "uuid": "246d56a6-141c-4d60-a346-538e44fac1c9", + "value": "Russian SVR Cyber Operations and Vulnerability Exploitation Activity" + }, { "description": "Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).", "meta": { @@ -1317,7 +1549,7 @@ "value": "ScreenConnect Vulnerability Exploit Attacks" }, { - "description": "The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)][[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)][[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)][[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)][[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)][[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)][[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)][[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)] \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)][[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)][[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)] ", + "description": "The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)][[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)][[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)][[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)][[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)][[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)][[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)][[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)] \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)][[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)][[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)] ", "meta": { "campaign_attack_id": "C0024", "first_seen": "2019-08-01T05:00:00Z", @@ -1332,6 +1564,30 @@ "uuid": "8bde8146-0656-5800-82e6-e24e008e4f4a", "value": "SolarWinds Compromise" }, + { + "description": "Microsoft researchers observed Storm-0501 actors abusing hybrid user identities and their associated privileges in order to pivot from on-premises to cloud environments in Q3 2024. Storm-0501 is a financially motivated actor that has been known to deploy multiple distinct ransomware families and exfiltrate data for extortion purposes, leveraging the relatively new, Rust-based Embargo ransomware (along with a number of supporting commodity and open-source tools) during the hybrid compromise attack.[[Microsoft Security Blog September 26 2024](/references/bf05138b-f690-4b0f-ba10-9af71f7d9bfc)] Mandiant reserachers linked Storm-0501 with an actor group they track as UNC2190, which was observed carrying out ransomware attacks while branded as \"54BB47h\" (Sabbath) in 2021.[[Mandiant Sabbath Ransomware November 29 2021](/references/ab3a20a5-2df1-4f8e-989d-baa96ffaca74)][[Tyler McLellan UNC2190 September 26 2024](/references/32298444-284a-4991-ba3b-a80bd62be903)]", + "meta": { + "campaign_attack_id": "C3057", + "first_seen": "2024-07-17T00:00:00Z", + "last_seen": "2024-09-17T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "ecfc9a06-e970-4310-ac3f-0af98163563b", + "1c1a335a-dc30-470d-9539-b09aa87e2f8c", + "15b77e5c-2285-434d-9719-73c14beba8bd", + "532b7819-d407-41e9-9733-0d716b69eb17", + "c9c73000-30a5-4a16-8c8b-79169f9c24aa", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "96a04dd1-c6e6-4edd-ada4-03171fd15b2d", + "value": "Storm-0501 Hybrid Cloud Compromise" + }, { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { @@ -1364,6 +1620,25 @@ "uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b", "value": "Triton Safety Instrumented System Attack" }, + { + "description": "Mandiant researchers observed UNC2190, an actor group now linked to Storm-0501, deploying evasive, in-memory-only ransomware in 2021 while branded as the \"54BB47h\" (Sabbath) ransomware gang. The group had previously branded its operations as Eruption and Arcane. UNC2190 was seen targeting organizations in the education, health, and natural resources sectors in the United States and Canada from June through at least October 2021.[[Mandiant Sabbath Ransomware November 29 2021](/references/ab3a20a5-2df1-4f8e-989d-baa96ffaca74)]", + "meta": { + "campaign_attack_id": "C3058", + "first_seen": "2021-06-01T00:00:00Z", + "last_seen": "2021-10-26T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "1a9e2500-a1aa-4001-8bb4-9d7ebca60d47", + "value": "UNC2190 2021 Ransomware Activity" + }, { "description": "On September 5, 2024, international authorities published joint Cybersecurity Advisory AA24-249A, which detailed recent activity linked to cyber actors affiliated with the 161st Specialist Training Center (aka Unit 29155) of the Russian General Staff Main Intelligence Directorate (GRU), the foreign military intelligence agency of Russia's armed forces. The advisory highlighted Unit 29155 espionage, sabotage, and reputational cyber attacks carried out against targets around the world since 2020.\n\nWhile Unit 29155 had been previously linked to influence, interference, and physical sabotage operations, the advisory noted how the group has expanded its tradecraft to now include offensive cyber operations. The advisory indicated that several groups tracked by the cybersecurity community relate to Unit 29155 cyber actors but may not be directly synonyms with all parts of the Unit (or each other), including: Cadet Blizzard, DEV-0586, Ember Bear, Bleeding Bear, Frozenvista, UNC2589, and UAC-0056.[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]", "meta": { @@ -1430,6 +1705,22 @@ "uuid": "b78565ce-8eec-49ad-b762-8d2107fa9ce7", "value": "Velvet Ant F5 BIG-IP Espionage Activity" }, + { + "description": "[Versa Director Zero Day Exploitation](https://app.tidalcyber.com/campaigns/e28a09b7-885f-5556-b56e-7ad3e0581ac0) was conducted by [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. [Versa Director Zero Day Exploitation](https://app.tidalcyber.com/campaigns/e28a09b7-885f-5556-b56e-7ad3e0581ac0) was followed by the delivery of the [VersaMem](https://app.tidalcyber.com/software/ea857bb3-408e-566f-a693-96d9dc4f3c90) web shell for both credential theft and follow-on code execution.[[Lumen Versa 2024](https://app.tidalcyber.com/references/1d7f40f7-76e6-5ba2-8561-17f3646cf407)]", + "meta": { + "campaign_attack_id": "C0039", + "first_seen": "2024-06-01T06:00:00Z", + "last_seen": "2024-08-01T06:00:00Z", + "source": "MITRE", + "tags": [ + "a98d7a43-f227-478e-81de-e7299639a355", + "712d4124-8860-488a-a780-2938f9df6313" + ] + }, + "related": [], + "uuid": "e28a09b7-885f-5556-b56e-7ad3e0581ac0", + "value": "Versa Director Zero Day Exploitation" + }, { "description": "Void Banshee is an advanced persistent threat (APT) group identified by Trend Micro researchers, which is known to target victims in North America, Europe, and Southeast Asia for information theft and financial gain. In May 2024, researchers observed Void Banshee actors exploiting CVE-2024-38112, a remote code execution vulnerability in the \"MSHTML\" web browser software component. The vulnerability had not been previously disclosed, so the campaign was characterized as \"zero-day\" exploit activity. Actors delivered the Atlantida infostealer malware during the observed attacks.[[Trend Micro Void Banshee July 15 2024](/references/02c4dda2-3aae-43ec-9b14-df282b200def)]\n\nLater, researchers noted that Void Banshee also exploited a separate MSHTML-related vulnerability, CVE-2024-43461, as a zero-day during attacks culminating in Atlantida infostealer deployments.[[BleepingComputer Void Banshee September 16 2024](/references/2c9a2355-02c5-4718-ad6e-b2fac9ad4096)]", "meta": { @@ -1469,6 +1760,75 @@ "uuid": "e740e392-98cb-428a-ab92-b0a4d1d546b7", "value": "Voldemort Malware Delivery Campaign" }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Versa Director Zero Day Exploitation\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nThis object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.", + "meta": { + "campaign_attack_id": "C3067", + "first_seen": "2024-06-12T00:00:00Z", + "last_seen": "2024-07-15T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a98d7a43-f227-478e-81de-e7299639a355", + "712d4124-8860-488a-a780-2938f9df6313", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "553feab0-28a8-4a0f-a4a9-2aac6aa11c56", + "value": "Volt Typhoon Versa Director Zero-Day Exploitation (CVE-2024-39717) (Deprecated)" + }, + { + "description": "[Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) was distributed in [Water Curupira Pikabot Distribution](https://app.tidalcyber.com/campaigns/5b6d5717-676d-5e8b-a2a3-2717c62f6450) throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea), with several technical overlaps and similarities with [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea), indicating a possible connection. The identified activity led to the deployment of tools such as [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), while coinciding with campaigns delivering [DarkGate](https://app.tidalcyber.com/software/39d81c48-8f7c-54cb-8fac-485598e31a55) and [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433) en route to ransomware deployment.[[TrendMicro Pikabot 2024](https://app.tidalcyber.com/references/a2a22246-d49e-5847-9d20-dac64f1df3ea)]", + "meta": { + "campaign_attack_id": "C0037", + "first_seen": "2023-01-01T05:00:00Z", + "last_seen": "2023-12-01T05:00:00Z", + "source": "MITRE" + }, + "related": [], + "uuid": "5b6d5717-676d-5e8b-a2a3-2717c62f6450", + "value": "Water Curupira Pikabot Distribution" + }, + { + "description": "Security researchers observed adversaries using Web Distributed Authoring and Versioning (WebDAV) remote file management technology - hosted via free, development/testing-focused Cloudflare servers - to deliver various malware payloads, including AsyncRAT, XWorm, VenomRAT, and the PureLogs infostealer. One infection involved an unspecified organization in the government sector.[[Esentire July 31 2024](/references/18185ffd-8a66-4531-86de-4ba4dd9f675b)]", + "meta": { + "campaign_attack_id": "C3059", + "first_seen": "2024-07-01T00:00:00Z", + "last_seen": "2024-07-31T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "61085b71-eb19-46d8-a9e6-1ab9d2f3c08d", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "635edcc0-f8af-4b61-85ba-2589df9f3c58", + "value": "WebDAV Malware Delivery Activity" + }, + { + "description": "Researchers observed a campaign that used phishing communications to trick victims into clicking links that would redirect them to compromised websites hosting a zero-day vulnerability exploit to bypass Microsoft Windows SmartScreen security technology (CVE-2024-21412). The exploit activity involved additional redirect activity, including via internet shortcut files hosted on an adversary WebDAV server. The attacks culminated in delivery of the DarkGate loader/remote access trojan.[[Trend Micro March 13 2024](/references/0574a0a7-694b-4858-b053-8f7911c8ce54)]", + "meta": { + "campaign_attack_id": "C3061", + "first_seen": "2024-01-15T00:00:00Z", + "last_seen": "2024-02-13T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5187cea7-601f-4829-8b41-306044200b64", + "a98d7a43-f227-478e-81de-e7299639a355", + "61085b71-eb19-46d8-a9e6-1ab9d2f3c08d", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "22265193-4c7d-4edb-8e4e-727dcefd0a09", + "value": "Windows SmartScreen Bypass (CVE-2024-21412) DarkGate Campaign" + }, { "description": "A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]", "meta": { diff --git a/clusters/tidal-groups.json b/clusters/tidal-groups.json index 344c6f0..95d15ee 100644 --- a/clusters/tidal-groups.json +++ b/clusters/tidal-groups.json @@ -58,6 +58,26 @@ "uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "value": "admin@338" }, + { + "description": "[Agrius](https://app.tidalcyber.com/groups/36c70cf2-c7d5-5926-8155-5d3a63e3e55a) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.[[SentinelOne Agrius 2021](https://app.tidalcyber.com/references/b5b433a1-5d12-5644-894b-c42d995c9ba5)][[CheckPoint Agrius 2023](https://app.tidalcyber.com/references/b3034b5d-1fe5-5677-a2e8-9329141875d4)] Public reporting has linked [Agrius](https://app.tidalcyber.com/groups/36c70cf2-c7d5-5926-8155-5d3a63e3e55a) to Iran's Ministry of Intelligence and Security (MOIS).[[Microsoft Iran Cyber 2023](https://app.tidalcyber.com/references/08053c85-68ba-538b-b2f6-7ea0df654900)]", + "meta": { + "country": "IR", + "group_attack_id": "G1030", + "observed_countries": [ + "IL" + ], + "observed_motivations": [ + "Destruction" + ], + "source": "MITRE", + "tags": [ + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ] + }, + "related": [], + "uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "value": "Agrius" + }, { "description": "[Ajax Security Team](https://app.tidalcyber.com/groups/e38bcb42-12c1-4202-a794-ec26cd830caa) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://app.tidalcyber.com/groups/e38bcb42-12c1-4202-a794-ec26cd830caa) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.[[FireEye Operation Saffron Rose 2013](https://app.tidalcyber.com/references/2f4c0941-d14e-4eb8-828c-f1d9a1e14a95)]", "meta": { @@ -95,6 +115,8 @@ ], "source": "MITRE", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "fde14c10-e749-4c04-b97f-1d9fbd6e72e7", "0580d361-b60b-4664-9b2e-6d737e495cc1", "9768aada-9d63-4d46-ab9f-d41b8c8e4010", @@ -104,7 +126,6 @@ "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "c79f7ba7-a2f2-43ff-8c78-521807ef6c92", - "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "562e535e-19f5-4d6c-81ed-ce2aec544f09" @@ -351,6 +372,7 @@ "target_categories": [ "Aerospace", "Banks", + "Defense", "Education", "Financial Services", "Government", @@ -648,6 +670,7 @@ ], "source": "MITRE", "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a", "fe28cf32-a15c-44cf-892c-faa0360d6109", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", @@ -672,6 +695,7 @@ "Manufacturing", "Media", "NGOs", + "Nuclear", "Retail", "Technology", "Transportation", @@ -738,6 +762,32 @@ ], "source": "MITRE", "tags": [ + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "154bd6f0-9276-4ea5-946c-d35769d3ae4b", + "1ee3e55f-8f28-43c4-9f01-8a1bad68bd56", + "082b6886-9f4a-4237-82e4-827f6bab704e", + "7d158419-2d50-4688-aa4f-3b68a4d30870", + "5c7a911d-9f28-4f13-a6aa-c7a2e2b3ca55", + "46404b24-e38a-4fea-981b-cac3d3020c8b", + "9a0df3c4-2bbf-4192-a08a-ec27d9a4c5f1", + "e676e31d-d1d4-4a83-afa9-acf58be4f92a", + "49478e42-38e9-417c-9cf9-7f2c5d41bfa8", + "b7ad8591-fbff-46ec-8f4a-33f569cce2f9", + "5ef89937-dd06-4407-91d2-61db30c75934", + "72d3fa15-265b-4f4c-ba77-635d8531fe69", + "5bd6e9f7-78e3-4a8b-8734-c8c45b61a76d", + "b3665c87-5cb3-414e-8910-d4ffe53371c2", + "d1596bb2-b947-419a-b1f0-8f38e28eae09", + "49a674f7-c117-422e-8057-67bdfab2de9c", + "a4240ea5-b7d4-40a0-afbd-76fcf2e4ebbc", + "f97e406e-0d4b-4927-af03-8113a720417f", + "1b0321d7-4d9a-4977-bd2a-092c2693b328", + "cccb02c5-9791-4cb4-8fe8-0c5a6aea7dcf", + "15b77e5c-2285-434d-9719-73c14beba8bd", + "7551097a-dfdd-426f-aaa2-a2916dd9b873", + "a32a757a-9d6b-43ca-ac4b-5f695dd0f110", + "1b98f09a-7d93-4abb-8f3e-1eacdb9f9871", "af5e9be5-b86e-47af-91dd-966a5e34a186", "08809fa0-61b6-4394-b103-1c4d19a5be16", "4a457eb3-e404-47e5-b349-8b1f743dc657", @@ -1041,7 +1091,7 @@ "value": "APT39" }, { - "description": "[APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b).[[FireEye APT41 Aug 2019](https://app.tidalcyber.com/references/20f8e252-0a95-4ebd-857c-d05b0cde0904)][[Group IB APT 41 June 2021](https://app.tidalcyber.com/references/a2bf43a0-c7da-4cb9-8f9a-b34fac92b625)]\n", + "description": "[APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[[apt41_mandiant](https://app.tidalcyber.com/references/599f4411-6829-5a2d-865c-ac59e80afe83)] Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b).[[FireEye APT41 Aug 2019](https://app.tidalcyber.com/references/20f8e252-0a95-4ebd-857c-d05b0cde0904)][[Group IB APT 41 June 2021](https://app.tidalcyber.com/references/a2bf43a0-c7da-4cb9-8f9a-b34fac92b625)]\n", "meta": { "country": "CN", "group_attack_id": "G0096", @@ -1167,8 +1217,23 @@ { "description": "[APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[[NSA APT5 Citrix Threat Hunting December 2022](https://app.tidalcyber.com/references/916e2137-46e6-53c2-a917-5b5b5c4bae3a)][[Microsoft East Asia Threats September 2023](https://app.tidalcyber.com/references/31f2c61e-cefe-5df7-9c2b-780bf03c88ec)][[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)][[Mandiant Pulse Secure Update May 2021](https://app.tidalcyber.com/references/5620adaf-c2a7-5f0f-ae70-554ce720426e)][[FireEye Southeast Asia Threat Landscape March 2015](https://app.tidalcyber.com/references/59658f8b-af24-5df5-8f7d-cb6b9cf7579e)][[Mandiant Advanced Persistent Threats](https://app.tidalcyber.com/references/2d16615b-09fc-5925-8f59-6d20f334d236)] ", "meta": { + "country": "CN", "group_attack_id": "G1023", - "source": "MITRE" + "observed_countries": [ + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "source": "MITRE", + "target_categories": [ + "Aerospace", + "Defense", + "High Tech", + "Manufacturing", + "Technology", + "Telecommunications" + ] }, "related": [], "uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", @@ -1230,6 +1295,9 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a" + ], "target_categories": [ "Government", "Technology", @@ -1364,7 +1432,10 @@ "observed_motivations": [ "Cyber Espionage" ], - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a" + ] }, "related": [], "uuid": "3a02aa1b-851a-43e1-b83b-58037f3c7025", @@ -1424,6 +1495,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -1507,6 +1579,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "c475ad68-3fdc-4725-8abc-784c56125e96", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "e499005b-adba-45bb-85e3-07043fd9edf9", @@ -1605,9 +1678,10 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", - "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], @@ -1734,10 +1808,11 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "0bcc4824-7e68-4aac-b883-935e62b5be39", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "3b615816-3403-46a4-bd7e-f7a723fc56da", - "a2e000da-8181-4327-bacd-32013dbd3654", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -1805,7 +1880,7 @@ { "description": "Charcoal Stork is a threat actor believed to provide content used to fuel malvertising and search engine optimization (SEO) operations, which affiliates ultimately use to deliver malware to victim systems. Charcoal Stork is thought to be financially motivated, operating on a pay-per-install basis.[[Red Canary March 18 2024](/references/a86131cd-1a42-4222-9d39-221dd6e054ba)]", "meta": { - "group_attack_id": "G5022", + "group_attack_id": "G3055", "observed_motivations": [ "Financial Gain" ], @@ -1860,7 +1935,8 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ - "a2e000da-8181-4327-bacd-32013dbd3654", + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -2086,10 +2162,25 @@ "value": "Cuba Ransomware Actors" }, { - "description": "[CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[[Microsoft Iranian Threat Actor Trends November 2021](https://app.tidalcyber.com/references/78d39ee7-1cd5-5cb8-844a-1c3649e367a1)]", + "description": "[CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.[[Symantec Tortoiseshell 2019](https://app.tidalcyber.com/references/2565fe82-5082-5032-8424-03ce7ccb1936)] [CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[[Microsoft Iranian Threat Actor Trends November 2021](https://app.tidalcyber.com/references/78d39ee7-1cd5-5cb8-844a-1c3649e367a1)]", "meta": { + "country": "IR", "group_attack_id": "G1012", - "source": "MITRE" + "observed_countries": [ + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "source": "MITRE", + "target_categories": [ + "Aerospace", + "Automotive", + "Defense", + "Energy", + "Maritime", + "Technology" + ] }, "related": [], "uuid": "ab15a328-c41e-5701-993f-3cab29ac4544", @@ -2144,6 +2235,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "841ce707-a678-4bcf-86ff-7feeacd37e55", "15787198-6c8b-4f79-bf50-258d55072fee" @@ -2187,6 +2279,28 @@ "uuid": "42a7c134-c574-430b-8105-bf7a00e742ae", "value": "Cyber Toufan" }, + { + "description": "[Daggerfly](https://app.tidalcyber.com/groups/f0dab388-1641-50aa-b0b2-6bdb816e0490) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://app.tidalcyber.com/groups/f0dab388-1641-50aa-b0b2-6bdb816e0490) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. [Daggerfly](https://app.tidalcyber.com/groups/f0dab388-1641-50aa-b0b2-6bdb816e0490) is associated with exclusive use of [MgBot](https://app.tidalcyber.com/software/df390ec3-6557-524d-8a89-3fceff24ca96) malware and is noted for several potential supply chain infection campaigns.[[Symantec Daggerfly 2023](https://app.tidalcyber.com/references/cb0a51f5-fe5b-5dd0-8f55-4e7536cb61a4)][[ESET EvasivePanda 2023](https://app.tidalcyber.com/references/08026c7e-cc35-5d51-9536-a02febd1a891)][[Symantec Daggerfly 2024](https://app.tidalcyber.com/references/1dadd09e-e7b0-50a1-ba3d-413780dbeb80)][[ESET EvasivePanda 2024](https://app.tidalcyber.com/references/07e6b866-7119-50ad-8a6e-80c4e0d594bf)]", + "meta": { + "country": "CN", + "group_attack_id": "G1034", + "observed_motivations": [ + "Cyber Espionage" + ], + "source": "MITRE", + "tags": [ + "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" + ], + "target_categories": [ + "Government", + "NGOs", + "Telecommunications" + ] + }, + "related": [], + "uuid": "f0dab388-1641-50aa-b0b2-6bdb816e0490", + "value": "Daggerfly" + }, { "description": "Daixin Team is a ransomware- and data extortion-focused threat group first observed in mid-2022. Daixin Team is known to publicly extort its victims to pressure them into paying a ransom. It has used ransomware (believed to be based on the leaked source code for Babuk Locker) to encrypt victim data and has also exfiltrated sensitive data from victim environments and threatened to publicly leak that data.\n\nMany of Daixin Team’s victims belong to critical infrastructure sectors, especially the Healthcare and Public Health (“HPH”) sector. An October 2022 joint Cybersecurity Advisory noted Daixin Team attacks on multiple U.S. HPH organizations.[[U.S. CISA Daixin Team October 2022](/references/cbf5ecfb-de79-41cc-8250-01790ff6e89b)] Alleged victims referenced on the threat group’s extortion website belong to the healthcare, utilities, transportation (airline), automobile manufacturing, information technology, retail, and media sectors in the United States, Europe, and Asia.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { @@ -2204,8 +2318,9 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "15787198-6c8b-4f79-bf50-258d55072fee", - "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], @@ -2393,6 +2508,7 @@ "target_categories": [ "Energy", "Government", + "Nuclear", "Travel Services" ] }, @@ -2472,7 +2588,8 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ - "a2e000da-8181-4327-bacd-32013dbd3654", + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "5e7433ad-a894-4489-93bc-41e90da90019", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -2489,7 +2606,7 @@ "value": "Eldorado Ransomware Operators" }, { - "description": "[Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) likely conducted the [WhisperGate](https://app.tidalcyber.com/software/791f0afd-c2c4-4e23-8aee-1d14462667f5) destructive wiper attacks against Ukraine in early 2022.[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)][[Mandiant UNC2589 March 2022](https://app.tidalcyber.com/references/63d89139-9dd4-4ed6-bf6e-8cd872c5d034)][[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)] ", + "description": "[Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[[CISA GRU29155 2024](https://app.tidalcyber.com/references/c4dba764-d864-59bf-a80d-f1263bc904e4)] [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[[Cadet Blizzard emerges as novel threat actor](https://app.tidalcyber.com/references/7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b)] [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) conducted the [WhisperGate](https://app.tidalcyber.com/software/791f0afd-c2c4-4e23-8aee-1d14462667f5) destructive wiper attacks against Ukraine in early 2022.[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)][[Mandiant UNC2589 March 2022](https://app.tidalcyber.com/references/63d89139-9dd4-4ed6-bf6e-8cd872c5d034)][[CISA GRU29155 2024](https://app.tidalcyber.com/references/c4dba764-d864-59bf-a80d-f1263bc904e4)] There is some confusion as to whether [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) overlaps with another Russian-linked entity referred to as [Saint Bear](https://app.tidalcyber.com/groups/eb64ce69-f106-5e8e-8efd-a29385a05973). At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[[Cadet Blizzard emerges as novel threat actor](https://app.tidalcyber.com/references/7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b)][[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]", "meta": { "group_attack_id": "G1003", "source": "MITRE" @@ -3094,6 +3211,15 @@ "f2ae2283-f94d-4f8f-bbde-43f2bed66c55", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "target_categories": [ + "Defense", + "Energy", + "Government", + "Manufacturing", + "Nuclear", + "Transportation", + "Utilities" ] }, "related": [], @@ -3152,6 +3278,23 @@ "uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", "value": "Group5" }, + { + "description": "According to Resecurity researchers, GXC Team is a cybercriminal actor group that specializes in the development of tools used for financial fraud and theft. The group's leader operates and advertises these tools for sale on dark web forums under the alias \"googleXcoder\".[[Resecurity GXC Team January 3 2024](/references/6d55aa2c-3f52-4bff-8003-f78b386a4952)]", + "meta": { + "group_attack_id": "G3061", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a" + ] + }, + "related": [], + "uuid": "78b09333-76ea-4239-a03d-d601a8032e8e", + "value": "GXC Team" + }, { "description": "H0lyGh0st is a North Korea-based ransomware-focused threat actor group.[[H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware](/references/3f66ef62-ac0d-4ece-9a4b-917ae70f1617)]", "meta": { @@ -3199,10 +3342,29 @@ { "description": "[HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735)'s TTPs appear similar to [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) and [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) but due to differences in victims and tools it is tracked as a separate entity.[[Dragos Hexane](https://app.tidalcyber.com/references/11838e67-5032-4352-ad1f-81ba0398a14f)][[Kaspersky Lyceum October 2021](https://app.tidalcyber.com/references/b3d13a82-c24e-4b47-b47a-7221ad449859)][[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)][[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]", "meta": { + "country": "IR", "group_attack_id": "G1001", + "observed_countries": [ + "AL", + "IL", + "KW", + "MA", + "SA", + "TN" + ], + "observed_motivations": [ + "Cyber Espionage" + ], "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ], + "target_categories": [ + "Aerospace", + "Energy", + "Government", + "Telecommunications", + "Transportation" ] }, "related": [], @@ -3246,6 +3408,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -3313,6 +3476,50 @@ "uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "value": "Inception" }, + { + "description": "[INC Ransom](https://app.tidalcyber.com/groups/8957f42d-a069-542b-bce6-3059a2fa0f2e) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://app.tidalcyber.com/software/814df4bb-4f5a-5097-af8b-85622a4803ba) that has been active since at least July 2023. [INC Ransom](https://app.tidalcyber.com/groups/8957f42d-a069-542b-bce6-3059a2fa0f2e) has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.[[Bleeping Computer INC Ransomware March 2024](https://app.tidalcyber.com/references/fbfd6be8-acc7-5ed4-b2b7-9248c2c27682)][[Cybereason INC Ransomware November 2023](https://app.tidalcyber.com/references/ebe119d6-add3-5a1b-8e5f-b6419f246ba9)][[Secureworks GOLD IONIC April 2024](https://app.tidalcyber.com/references/e723e7b3-496f-5ab4-abaf-83859e7e912d)][[SentinelOne INC Ransomware](https://app.tidalcyber.com/references/5f82878b-2258-5663-8694-efc3179c1849)]", + "meta": { + "group_attack_id": "G1032", + "observed_countries": [ + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "source": "MITRE", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "target_categories": [ + "Education", + "Healthcare" + ] + }, + "related": [], + "uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "value": "INC Ransom" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"INC Ransom\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nINC is a ransomware operation that emerged in July 2023. Operators of INC ransomware typically publicly extort their victims.[[SentinelOne September 21 2023](/references/7e793738-c132-47bf-90aa-1f0659564d16)]", + "meta": { + "group_attack_id": "G3058", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "value": "INC Ransomware Actors (Deprecated)" + }, { "description": "[IndigoZebra](https://app.tidalcyber.com/groups/988f5312-834e-48ea-93b7-e6e01ee0938d) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[[HackerNews IndigoZebra July 2021](https://app.tidalcyber.com/references/fcf8265a-3084-4162-87d0-9e77c0a5cff0)][[Checkpoint IndigoZebra July 2021](https://app.tidalcyber.com/references/cf4a8c8c-eab1-421f-b313-344aed03b42d)][[Securelist APT Trends Q2 2017](https://app.tidalcyber.com/references/fe28042c-d289-463f-9ece-1a75a70b966e)]", "meta": { @@ -3349,6 +3556,9 @@ ], "source": "MITRE", "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a", + "47365c8b-5db8-4d3a-9eb9-d49c8df1a90e", + "b802443a-37b2-4c38-addd-75e4efb1defd", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" @@ -3464,7 +3674,7 @@ "value": "Killnet" }, { - "description": "[Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.[[EST Kimsuky April 2019](https://app.tidalcyber.com/references/8e52db6b-5ac3-448a-93f6-96a21787a346)][[BRI Kimsuky April 2019](https://app.tidalcyber.com/references/b72dd3a1-62ca-4a05-96a8-c4bddb17db50)][[Cybereason Kimsuky November 2020](https://app.tidalcyber.com/references/ecc2f5ad-b2a8-470b-b919-cb184d12d00f)][[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)][[CISA AA20-301A Kimsuky](https://app.tidalcyber.com/references/685aa213-7902-46fb-b90a-64be5c851f73)]\n\n[Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[[Netscout Stolen Pencil Dec 2018](https://app.tidalcyber.com/references/6d3b31da-a784-4da0-91dd-b72c04fd520a)][[EST Kimsuky SmokeScreen April 2019](https://app.tidalcyber.com/references/15213a3c-1e9f-47fa-9864-8ef2707c7fb6)][[AhnLab Kimsuky Kabar Cobra Feb 2019](https://app.tidalcyber.com/references/4035e871-9291-4d7f-9c5f-d8482d4dc8a7)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", + "description": "[Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing.[[EST Kimsuky April 2019](https://app.tidalcyber.com/references/8e52db6b-5ac3-448a-93f6-96a21787a346)][[Cybereason Kimsuky November 2020](https://app.tidalcyber.com/references/ecc2f5ad-b2a8-470b-b919-cb184d12d00f)][[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)][[CISA AA20-301A Kimsuky](https://app.tidalcyber.com/references/685aa213-7902-46fb-b90a-64be5c851f73)][[Mandiant APT43 March 2024](https://app.tidalcyber.com/references/8ac3fd0a-4a93-5262-9ac2-f676c5d11fda)][[Proofpoint TA427 April 2024](https://app.tidalcyber.com/references/620f5ff7-26c0-55c4-9b1b-c56ad2e1316b)]\n\n[Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[[Netscout Stolen Pencil Dec 2018](https://app.tidalcyber.com/references/6d3b31da-a784-4da0-91dd-b72c04fd520a)][[EST Kimsuky SmokeScreen April 2019](https://app.tidalcyber.com/references/15213a3c-1e9f-47fa-9864-8ef2707c7fb6)][[AhnLab Kimsuky Kabar Cobra Feb 2019](https://app.tidalcyber.com/references/4035e871-9291-4d7f-9c5f-d8482d4dc8a7)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", "meta": { "country": "KP", "group_attack_id": "G0094", @@ -3480,6 +3690,9 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a" + ], "target_categories": [ "Defense", "Education", @@ -3487,6 +3700,7 @@ "Government", "Media", "NGOs", + "Nuclear", "Pharmaceuticals", "Think Tanks" ] @@ -3501,10 +3715,11 @@ "group_attack_id": "G1004", "source": "MITRE", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "fe28cf32-a15c-44cf-892c-faa0360d6109", "2e5f6e4a-4579-46f7-9997-6923180815dd", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", - "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019" ] }, @@ -3532,6 +3747,9 @@ ], "source": "MITRE", "tags": [ + "a38ef717-4427-4aa0-9666-bb97c6ff45f3", + "b9c973c9-062d-4cbd-8bfe-98d0b4e547eb", + "a98d7a43-f227-478e-81de-e7299639a355", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], @@ -3542,7 +3760,8 @@ "Entertainment", "Financial Services", "Government", - "Infrastructure" + "Infrastructure", + "Nuclear" ] }, "related": [], @@ -3708,6 +3927,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "64d3f7d8-30b7-4b03-bee2-a6029672216c", "375983b3-6e87-4281-99e2-1561519dd17b", "3ed2343c-a29c-42e2-8259-410381164c6a", @@ -3773,6 +3993,7 @@ { "description": "[Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52) is a threat group that has targeted government and military organizations in Southeast Asia. [[Lotus Blossom Jun 2015](https://app.tidalcyber.com/references/46fdb8ca-b14d-43bd-a20f-cae7b26e56c6)]", "meta": { + "country": "CN", "group_attack_id": "G0030", "observed_countries": [ "HK", @@ -4189,7 +4410,28 @@ "value": "Molerats" }, { - "description": "Moonstone Sleet is a North Korea state-aligned threat actor group that has targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, for both financial gain and espionage purposes. The group is believed to be well-resourced, capable of conducting multiple distinct campaigns simultaneously. Microsoft security researchers assess that Moonstone Sleet has expanded its capabilities, with possible goals of enabling disruptive operations and/or software supply chain attacks.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", + "description": "[Moonstone Sleet](https://app.tidalcyber.com/groups/33a5fa48-89ee-5c0b-9c9c-e0ee69032fca) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08), but has differentiated its tradecraft since 2023. [Moonstone Sleet](https://app.tidalcyber.com/groups/33a5fa48-89ee-5c0b-9c9c-e0ee69032fca) is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[[Microsoft Moonstone Sleet 2024](https://app.tidalcyber.com/references/b9ee14c9-75fe-552e-81b5-a1fd5aa916d7)]", + "meta": { + "country": "KP", + "group_attack_id": "G1036", + "observed_motivations": [ + "Cyber Espionage", + "Financial Gain" + ], + "source": "MITRE", + "target_categories": [ + "Aerospace", + "Defense", + "Education", + "Technology" + ] + }, + "related": [], + "uuid": "33a5fa48-89ee-5c0b-9c9c-e0ee69032fca", + "value": "Moonstone Sleet" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Moonstone Sleet\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nMoonstone Sleet is a North Korea state-aligned threat actor group that has targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, for both financial gain and espionage purposes. The group is believed to be well-resourced, capable of conducting multiple distinct campaigns simultaneously. Microsoft security researchers assess that Moonstone Sleet has expanded its capabilities, with possible goals of enabling disruptive operations and/or software supply chain attacks.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", "meta": { "country": "KP", "group_attack_id": "G3039", @@ -4212,7 +4454,7 @@ }, "related": [], "uuid": "3b8a2c50-5d8e-49b4-bd50-10ae66ca6c72", - "value": "Moonstone Sleet" + "value": "Moonstone Sleet (Deprecated)" }, { "description": "[Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[[Checkpoint MosesStaff Nov 2021](https://app.tidalcyber.com/references/d6da2849-cff0-408a-9f09-81a33fc88a56)] \n\nSecurity researchers assess [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[[Cybereason StrifeWater Feb 2022](https://app.tidalcyber.com/references/30c911b2-9a5e-4510-a78c-c65e84398c7e)]", @@ -4637,7 +4879,60 @@ "value": "PLATINUM" }, { - "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nPlay is a ransomware operation first observed in mid-2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokoyawa ransomwares, which themselves are believed to be linked.[[Trend Micro Play Playbook September 06 2022](/references/2d2b527d-25b0-4b58-9ae6-c87060b64069)] According to publicly available ransomware extortion threat data, Play has claimed more than 300 victims from a wide range of sectors on its data leak site since December 2022.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.play\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/PlayCrypt", + "description": "[Play](https://app.tidalcyber.com/groups/60f686d0-ae3d-5662-af32-119217dee2a7) is a ransomware group that has been active since at least 2022 deploying [Playcrypt](https://app.tidalcyber.com/software/2d3d6034-21f7-5211-ab8a-338dada7082f) ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Play](https://app.tidalcyber.com/groups/60f686d0-ae3d-5662-af32-119217dee2a7) actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[[CISA Play Ransomware Advisory December 2023](https://app.tidalcyber.com/references/b47f5430-25d4-5502-9219-674daed4e2c5)][[Trend Micro Ransomware Spotlight Play July 2023](https://app.tidalcyber.com/references/399eac4c-5638-595c-9ee6-997dcd2d47c3)]", + "meta": { + "group_attack_id": "G1040", + "observed_countries": [ + "AR", + "BE", + "CA", + "CZ", + "FR", + "DE", + "IT", + "KR", + "NO", + "SE", + "AE", + "GB", + "US", + "VE" + ], + "observed_motivations": [ + "Financial Gain" + ], + "source": "MITRE", + "tags": [ + "17864218-bc4f-4564-8abf-97c988eea9f7", + "b6458e46-650e-4e96-8e68-8a9d70bcf045", + "bac51672-8240-4182-9087-23626023e509", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "b802443a-37b2-4c38-addd-75e4efb1defd", + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "target_categories": [ + "Automotive", + "Construction", + "Energy", + "Financial Services", + "Government", + "Legal", + "Media", + "Non Profit", + "Retail", + "Technology", + "Transportation" + ] + }, + "related": [], + "uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "value": "Play" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Play\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nPlay is a ransomware operation first observed in mid-2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokoyawa ransomwares, which themselves are believed to be linked.[[Trend Micro Play Playbook September 06 2022](/references/2d2b527d-25b0-4b58-9ae6-c87060b64069)] According to publicly available ransomware extortion threat data, Play has claimed more than 300 victims from a wide range of sectors on its data leak site since December 2022.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.play\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/PlayCrypt", "meta": { "group_attack_id": "G3016", "observed_countries": [ @@ -4662,7 +4957,8 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ - "a2e000da-8181-4327-bacd-32013dbd3654", + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -4688,7 +4984,7 @@ }, "related": [], "uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", - "value": "Play Ransomware Actors" + "value": "Play Ransomware Actors (Deprecated)" }, { "description": "[POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.[[Microsoft POLONIUM June 2022](https://app.tidalcyber.com/references/689ff1ab-9fed-4aa2-8e5e-78dac31e6fbd)]", @@ -4834,6 +5130,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "d903e38b-600d-4736-9e3b-cf1a6e436481", "d819ae1a-e385-49fd-88d5-f66660729ecb", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -4867,6 +5164,30 @@ "uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "value": "RansomHub Ransomware Actors" }, + { + "description": "[RedCurl](https://app.tidalcyber.com/groups/8302ac29-872e-564b-8525-f00002be2e58) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.[[group-ib_redcurl1](https://app.tidalcyber.com/references/e9200100-cc58-5c30-b837-e6e73bfe2cbb)] [RedCurl](https://app.tidalcyber.com/groups/8302ac29-872e-564b-8525-f00002be2e58) is allegedly a Russian-speaking threat actor.[[group-ib_redcurl1](https://app.tidalcyber.com/references/e9200100-cc58-5c30-b837-e6e73bfe2cbb)][[group-ib_redcurl2](https://app.tidalcyber.com/references/1fc20d89-def2-5a1e-8e58-37383a019132)] The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers. ", + "meta": { + "group_attack_id": "G1039", + "observed_countries": [ + "CA", + "UA", + "GB" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "source": "MITRE", + "target_categories": [ + "Banks", + "Financial Services", + "Hospitality Leisure", + "Insurance" + ] + }, + "related": [], + "uuid": "8302ac29-872e-564b-8525-f00002be2e58", + "value": "RedCurl" + }, { "description": "This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service (\"RaaS\") basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)]\n\n**Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)]", "meta": { @@ -4896,6 +5217,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "1bafa336-67a8-4094-bb2e-2079a7bdaab5", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -4952,8 +5274,9 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "e551ae97-d1b4-484e-9267-89f33829ec2c", - "a2e000da-8181-4327-bacd-32013dbd3654", "d63754b9-0267-4a70-82a3-212ef32fa796", "15787198-6c8b-4f79-bf50-258d55072fee", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -5001,6 +5324,95 @@ "uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "value": "RTM" }, + { + "description": "[Saint Bear](https://app.tidalcyber.com/groups/eb64ce69-f106-5e8e-8efd-a29385a05973) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, [Saint Bot](https://app.tidalcyber.com/software/d66e5d18-e9f5-4091-bdf4-acdac129e2e0), and information stealer, [OutSteel](https://app.tidalcyber.com/software/042fe42b-f60e-45e1-b47d-a913e0677976) in campaigns. [Saint Bear](https://app.tidalcyber.com/groups/eb64ce69-f106-5e8e-8efd-a29385a05973) typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.[[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)][[Cadet Blizzard emerges as novel threat actor](https://app.tidalcyber.com/references/7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b)] [Saint Bear](https://app.tidalcyber.com/groups/eb64ce69-f106-5e8e-8efd-a29385a05973) has previously been confused with [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.", + "meta": { + "country": "RU", + "group_attack_id": "G1031", + "observed_countries": [ + "GE", + "UA" + ], + "source": "MITRE" + }, + "related": [], + "uuid": "eb64ce69-f106-5e8e-8efd-a29385a05973", + "value": "Saint Bear" + }, + { + "description": "Sodium is reportedly a \"sophisticated Chinese state-affiliated\" threat actor group, which has especially targeted defense, government, and high-tech organizations in the United States.[[GitHub cybershujin Threat-Actors-use-of-Artifical-Intelligence](/references/b595af7e-ff84-49fa-8e07-cd2abe9e1d65)]", + "meta": { + "country": "CN", + "group_attack_id": "G3060", + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a" + ], + "target_categories": [ + "Aerospace", + "Automotive", + "Defense", + "Electronics", + "Government", + "Telecommunications", + "Transportation" + ] + }, + "related": [], + "uuid": "815777f5-63a2-4718-8056-c430d49e58c0", + "value": "Salmon Typhoon" + }, + { + "description": "Salt Typhoon is likely a cyberespionage group linked to the Chinese government. September 2024 reports indicated the group is believed to have compromised U.S. internet service providers with the intent of collecting sensitive information.[[WSJ Salt Typhoon September 26 2024](/references/15b4c5c3-edf2-4f6b-b398-62767cfabf5a)]\n\nMicrosoft researchers indicate that \"other names\" for Salt Typhoon actors include FamousSparrow and GhostEmperor, a group that was previously tied to supply chain attacks on telecommunications and government entities in Southeast Asia.[[Microsoft Threat Actor Naming July 2023](/references/78a8137d-694e-533d-aed3-6bd48fc0cd4a)][[Sygnia July 17 2024](/references/7d30acb4-9600-46bd-a800-1c7e1149e9b4)] Mandiant researchers identified activity overlaps between GhostEmperor, FamousSparrow, and actors they track as UNC2286.[[Mandiant UNC4841 August 29 2023](/references/f990745d-06c1-4b0a-8394-66c7a3cf0818)]", + "meta": { + "country": "CN", + "group_attack_id": "G3062", + "observed_countries": [ + "AF", + "BR", + "BF", + "CA", + "EG", + "ET", + "FR", + "GT", + "IL", + "LT", + "SA", + "ZA", + "TW", + "TH", + "GB", + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "915e7ac2-b266-45d7-945c-cb04327d6246", + "e499005b-adba-45bb-85e3-07043fd9edf9", + "8b1cb0dc-dd3e-44ba-828c-55c040e93b93", + "5f5e40cd-0732-4eb4-a083-06940623c3f9", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Hospitality Leisure", + "Legal", + "Telecommunications" + ] + }, + "related": [], + "uuid": "753c7cd1-ca9f-4632-bbd2-fd55b9e70b10", + "value": "Salt Typhoon" + }, { "description": "[Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)][[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)] This group has been active since at least 2009.[[iSIGHT Sandworm 2014](https://app.tidalcyber.com/references/63622990-5467-42b2-8f45-b675dfc4dc8f)][[CrowdStrike VOODOO BEAR](https://app.tidalcyber.com/references/ce07d409-292d-4e8e-b1af-bd5ba46c1b95)][[USDOJ Sandworm Feb 2020](https://app.tidalcyber.com/references/fefa7321-cd60-4c7e-a9d5-c723d88013f2)][[NCSC Sandworm Feb 2020](https://app.tidalcyber.com/references/d876d037-9d24-44af-b8f0-5c1555632b91)]\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://app.tidalcyber.com/software/073b5288-11d6-4db0-9f2c-a1816847d15c) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)][[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5).[[US District Court Indictment GRU Oct 2018](https://app.tidalcyber.com/references/56aeab4e-b046-4426-81a8-c3b2323492f0)]", "meta": { @@ -5067,7 +5479,7 @@ { "description": "Scarlet Goldfinch is a threat activity cluster that typically tricks victims into downloading files that appear to be web browser updates, with the file ultimately leading to the deployment of NetSupport Manager, a remote monitoring and management (RMM) utility that has been heavily abused by adversaries.[[Red Canary June 26 2024](/references/e0d62504-6fec-4d95-9f4a-e0dda7e7b6d9)]", "meta": { - "group_attack_id": "G5023", + "group_attack_id": "G3056", "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ @@ -5120,6 +5532,9 @@ ], "source": "MITRE", "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a", + "47365c8b-5db8-4d3a-9eb9-d49c8df1a90e", + "b802443a-37b2-4c38-addd-75e4efb1defd", "fe28cf32-a15c-44cf-892c-faa0360d6109", "15f2277a-a17e-4d85-8acd-480bf84f16b4", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", @@ -5323,7 +5738,45 @@ "value": "Spandex Tempest" }, { - "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nStar Blizzard is believed to be a Russia-based cyber threat actor group. According to joint Cybersecurity Advisory AA23-341A (December 2023), U.S. and international authorities assess that Star Blizzard is “almost certainly” a subordinate of the Russian Federal Security Service (FSB) Centre 18. Star Blizzard is known to successfully use spear-phishing attacks against its targets for information-gathering purposes. The advisory indicated that authorities observed these spear-phishing attacks occurring through 2023. Star Blizzard has traditionally targeted academic, defense, government, non-governmental (NGO), and think tank organizations (and associated personnel) in the United States and United Kingdom, other NATO nations, and countries neighboring Russia. Politicians have also been targeted. According to the advisory, beginning in 2022, authorities witnessed Star Blizzard targeting expand to targets in the defense-industrial sector and U.S. Department of Energy facilities.[[U.S. CISA Star Blizzard December 2023](/references/3d53c154-8ced-4dbe-ab4e-db3bc15bfe4b)]", + "description": "[Star Blizzard](https://app.tidalcyber.com/groups/649642a4-0659-5e10-ae19-1282f73a1785) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://app.tidalcyber.com/groups/649642a4-0659-5e10-ae19-1282f73a1785) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[[Microsoft Star Blizzard August 2022](https://app.tidalcyber.com/references/d5fc25ad-2337-55f5-9eac-050178a533d6)][[CISA Star Blizzard Advisory December 2023](https://app.tidalcyber.com/references/96b26cfc-b31d-5226-879f-4888801ec268)][[StarBlizzard](https://app.tidalcyber.com/references/68b16960-1893-51a1-b46c-974a09d4a0c4)][[Google TAG COLDRIVER January 2024](https://app.tidalcyber.com/references/cff26ad8-b8dc-557d-9751-530f7ebfaa02)]\n", + "meta": { + "country": "RU", + "group_attack_id": "G1033", + "observed_countries": [ + "GB", + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "source": "MITRE", + "tags": [ + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "82009876-294a-4e06-8cfc-3236a429bda4", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "fe28cf32-a15c-44cf-892c-faa0360d6109" + ], + "target_categories": [ + "Defense", + "Education", + "Energy", + "Government", + "NGOs", + "Think Tanks" + ] + }, + "related": [], + "uuid": "649642a4-0659-5e10-ae19-1282f73a1785", + "value": "Star Blizzard" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Star Blizzard\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nStar Blizzard is believed to be a Russia-based cyber threat actor group. According to joint Cybersecurity Advisory AA23-341A (December 2023), U.S. and international authorities assess that Star Blizzard is “almost certainly” a subordinate of the Russian Federal Security Service (FSB) Centre 18. Star Blizzard is known to successfully use spear-phishing attacks against its targets for information-gathering purposes. The advisory indicated that authorities observed these spear-phishing attacks occurring through 2023. Star Blizzard has traditionally targeted academic, defense, government, non-governmental (NGO), and think tank organizations (and associated personnel) in the United States and United Kingdom, other NATO nations, and countries neighboring Russia. Politicians have also been targeted. According to the advisory, beginning in 2022, authorities witnessed Star Blizzard targeting expand to targets in the defense-industrial sector and U.S. Department of Energy facilities.[[U.S. CISA Star Blizzard December 2023](/references/3d53c154-8ced-4dbe-ab4e-db3bc15bfe4b)]", "meta": { "country": "RU", "group_attack_id": "G3029", @@ -5351,7 +5804,7 @@ }, "related": [], "uuid": "a13bd574-b907-4489-96ab-8d30faf7fca4", - "value": "Star Blizzard" + "value": "Star Blizzard (Deprecated)" }, { "description": "[Stealth Falcon](https://app.tidalcyber.com/groups/ca3016f3-642a-4ae0-86bc-7258475d6937) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. [[Citizen Lab Stealth Falcon May 2016](https://app.tidalcyber.com/references/11f46b1e-a141-4d25-bff0-e955251be7f5)]", @@ -5370,6 +5823,42 @@ "uuid": "ca3016f3-642a-4ae0-86bc-7258475d6937", "value": "Stealth Falcon" }, + { + "description": "Storm-0501 is a financially motivated actor that has been known to deploy multiple distinct ransomware families and exfiltrate data for extortion purposes.[[Microsoft Security Blog September 26 2024](/references/bf05138b-f690-4b0f-ba10-9af71f7d9bfc)] Active since 2020, the actor was notably observed successfully pivoting from on-premises to victim cloud environments in 2024 by abusing hybrid user identities and their associated privileges.[[Mandiant Sabbath Ransomware November 29 2021](/references/ab3a20a5-2df1-4f8e-989d-baa96ffaca74)][[Microsoft Security Blog September 26 2024](/references/bf05138b-f690-4b0f-ba10-9af71f7d9bfc)] Mandiant researchers indicated that the group they track as \"UNC2190\" is linked to the Microsoft-defined Storm-0501 entity.[[Tyler McLellan UNC2190 September 26 2024](/references/32298444-284a-4991-ba3b-a80bd62be903)]", + "meta": { + "group_attack_id": "G3057", + "observed_countries": [ + "CA", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "ecfc9a06-e970-4310-ac3f-0af98163563b", + "1c1a335a-dc30-470d-9539-b09aa87e2f8c", + "15b77e5c-2285-434d-9719-73c14beba8bd", + "532b7819-d407-41e9-9733-0d716b69eb17", + "c9c73000-30a5-4a16-8c8b-79169f9c24aa", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Education", + "Government", + "Healthcare", + "Manufacturing", + "Transportation" + ] + }, + "related": [], + "uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "value": "Storm-0501" + }, { "description": "Storm-0844 is a threat actor originally known for distributing Akira ransomware, and more recently, for distributing Fog ransomware. The actor gains initial access likely by abusing valid accounts, then uses freely available tools for discovery, lateral movement, and exfiltration prior to ransomware deployment.[[Microsoft Threat Intelligence LinkedIn July 15 2024](/references/0e7ea8d0-bdb8-48a6-9718-703f64d16460)]", "meta": { @@ -5520,6 +6009,30 @@ "uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "value": "TA505" }, + { + "description": "Proofpoint researchers indicate that TA547 is a financially motivated threat actor group that likely operates as an initial access broker (\"IAB\"). It has targeted victim in various geographic regions.[[Proofpoint TA547 April 10 2024](/references/c1fab1dd-bec1-4637-9d50-8317247dc82b)]", + "meta": { + "group_attack_id": "G3059", + "observed_countries": [ + "AT", + "DE", + "ES", + "CH", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a" + ] + }, + "related": [], + "uuid": "ac3426c4-6d7e-4e99-9546-266fb7fd8c44", + "value": "TA547" + }, { "description": "[TA551](https://app.tidalcyber.com/groups/8951bff3-c444-4374-8a9e-b2115d9125b2) is a financially-motivated threat group that has been active since at least 2018. [[Secureworks GOLD CABIN](https://app.tidalcyber.com/references/778babec-e7d3-4341-9e33-aab361f2b98a)] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [[Unit 42 TA551 Jan 2021](https://app.tidalcyber.com/references/8e34bf1e-86ce-4d52-a6fa-037572766e99)]", "meta": { @@ -5534,7 +6047,20 @@ "value": "TA551" }, { - "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nTA577 is a cybercriminal actor that has remained highly active since mid-2020. The actor is known for carrying out email-based campaigns that result in the delivery of a wide range of payloads, including at least one leading to ransomware (REvil) deployment. These campaigns are known to impact organizations in a wide range of sectors and geographic locations.[[Proofpoint Ransomware Initial Access June 2021](/references/3b0631ae-f589-4b7c-a00a-04dcd5f3a77b)] The actor appears adept at shifting payloads in response to external factors, for example moving to deliver DarkGate and Pikabot shortly after international authorities disrupted the QakBot botnet in August 2023.[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]", + "description": "[TA577](https://app.tidalcyber.com/groups/e1e72810-4661-54c7-b05e-859128fb327d) is an initial access broker (IAB) that has distributed [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea) and [Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d), and was among the first observed groups distributing [Latrodectus](https://app.tidalcyber.com/software/413585a2-00d1-532d-953a-bc5c86f4767f) in 2023.[[Latrodectus APR 2024](https://app.tidalcyber.com/references/23f46e51-cfb9-516f-88a6-824893293deb)]", + "meta": { + "group_attack_id": "G1037", + "observed_motivations": [ + "Financial Gain" + ], + "source": "MITRE" + }, + "related": [], + "uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "value": "TA577" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"TA577\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nTA577 is a cybercriminal actor that has remained highly active since mid-2020. The actor is known for carrying out email-based campaigns that result in the delivery of a wide range of payloads, including at least one leading to ransomware (REvil) deployment. These campaigns are known to impact organizations in a wide range of sectors and geographic locations.[[Proofpoint Ransomware Initial Access June 2021](/references/3b0631ae-f589-4b7c-a00a-04dcd5f3a77b)] The actor appears adept at shifting payloads in response to external factors, for example moving to deliver DarkGate and Pikabot shortly after international authorities disrupted the QakBot botnet in August 2023.[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]", "meta": { "group_attack_id": "G3031", "observed_motivations": [ @@ -5549,7 +6075,20 @@ }, "related": [], "uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", - "value": "TA577" + "value": "TA577 (Deprecated)" + }, + { + "description": "[TA578](https://app.tidalcyber.com/groups/b47551ba-8036-5527-abba-fed787c854a5) is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including [Latrodectus](https://app.tidalcyber.com/software/413585a2-00d1-532d-953a-bc5c86f4767f), [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433), and [Bumblebee](https://app.tidalcyber.com/software/cc155181-fb34-4aaf-b083-b7b57b140b7a).[[Latrodectus APR 2024](https://app.tidalcyber.com/references/23f46e51-cfb9-516f-88a6-824893293deb)][[Bitsight Latrodectus June 2024](https://app.tidalcyber.com/references/9a942e75-3541-5b8d-acde-8f2a3447184a)]", + "meta": { + "group_attack_id": "G1038", + "observed_motivations": [ + "Financial Gain" + ], + "source": "MITRE" + }, + "related": [], + "uuid": "b47551ba-8036-5527-abba-fed787c854a5", + "value": "TA578" }, { "description": "[TeamTNT](https://app.tidalcyber.com/groups/325c11be-e1ee-47db-afa6-44ac5d16f0e7) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[[Palo Alto Black-T October 2020](https://app.tidalcyber.com/references/d4351c8e-026d-4660-9344-166481ecf64a)][[Lacework TeamTNT May 2021](https://app.tidalcyber.com/references/5908b04b-dbca-4fd8-bacc-141ef15546a1)][[Intezer TeamTNT September 2020](https://app.tidalcyber.com/references/1155a45e-86f4-497a-9a03-43b6dcb25202)][[Cado Security TeamTNT Worm August 2020](https://app.tidalcyber.com/references/8ccab4fe-155d-44b0-b0f2-941e9f8f87db)][[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)][[Trend Micro TeamTNT](https://app.tidalcyber.com/references/d6b52135-6bb2-4e37-8f94-1e1d6354bdfd)][[ATT TeamTNT Chimaera September 2020](https://app.tidalcyber.com/references/5d9f402f-4ff4-4993-8685-e5656e2f3aff)][[Aqua TeamTNT August 2020](https://app.tidalcyber.com/references/ca10ad0d-1a47-4006-8f76-c2246aee7752)][[Intezer TeamTNT Explosion September 2021](https://app.tidalcyber.com/references/e0d6208b-a4d6-45f0-bb3a-6c8681630b55)]", @@ -5884,7 +6423,7 @@ ], "source": "MITRE", "tags": [ - "a2e000da-8181-4327-bacd-32013dbd3654" + "c545270e-a6d4-4d89-af6e-d8be7219405d" ], "target_categories": [ "Aerospace", @@ -5970,6 +6509,23 @@ "uuid": "809c288d-2dec-4c34-8ac1-f91d227ddfbd", "value": "UNC5537" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.", + "meta": { + "group_attack_id": "G3063", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "ef7715f8-526a-4df5-bad3-74b66170a52b", + "a98d7a43-f227-478e-81de-e7299639a355", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "4ee3b97e-a8b1-4b04-b997-853fd3869f47", + "value": "UNC5820" + }, { "description": "UNC961 is a financially motivated group active since at least 2018. It traditionally targeted retail and \"business services\" organizations based in North America, until expanding its targeting in 2020 to also include victims in a range of additional sectors in Northern Europe and Western Asia. In all known intrusions, UNC961 gained initial access by exploiting web-facing applications.[[Mandiant Log4Shell March 28 2022](/references/62d4d685-09c4-47b6-865c-4a6096e551cd)]", "meta": { @@ -6189,7 +6745,7 @@ "value": "Volatile Cedar" }, { - "description": "[Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[[Microsoft Volt Typhoon May 2023](https://app.tidalcyber.com/references/8b74f0b7-9719-598c-b3ee-61d734393e6f)][[Joint Cybersecurity Advisory Volt Typhoon June 2023](https://app.tidalcyber.com/references/14872f08-e219-5c0d-a2d7-43a3ba348b4b)][[Secureworks BRONZE SILHOUETTE May 2023](https://app.tidalcyber.com/references/77624549-e170-5894-9219-a15b4aa31726)]", + "description": "[Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[[CISA AA24-038A PRC Critical Infrastructure February 2024](https://app.tidalcyber.com/references/bfa16dc6-f075-5bd3-9d9d-255df8789298)][[Microsoft Volt Typhoon May 2023](https://app.tidalcyber.com/references/8b74f0b7-9719-598c-b3ee-61d734393e6f)][[Joint Cybersecurity Advisory Volt Typhoon June 2023](https://app.tidalcyber.com/references/14872f08-e219-5c0d-a2d7-43a3ba348b4b)][[Secureworks BRONZE SILHOUETTE May 2023](https://app.tidalcyber.com/references/77624549-e170-5894-9219-a15b4aa31726)]", "meta": { "country": "CN", "group_attack_id": "G1017", @@ -6202,6 +6758,9 @@ ], "source": "MITRE", "tags": [ + "b20e7912-6a8d-46e3-8e13-9a3fc4813852", + "a98d7a43-f227-478e-81de-e7299639a355", + "712d4124-8860-488a-a780-2938f9df6313", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", @@ -6213,6 +6772,7 @@ "target_categories": [ "Construction", "Education", + "Energy", "Government", "Manufacturing", "Maritime", @@ -6345,6 +6905,27 @@ "uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "value": "Winnti Group" }, + { + "description": "Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.[[DomainTools WinterVivern 2021](https://app.tidalcyber.com/references/5f52274f-9d02-5e3c-a1da-48eee0804459)][[SentinelOne WinterVivern 2023](https://app.tidalcyber.com/references/f1b6b3b8-2068-5d80-a318-c77aaa9417c1)][[CERT-UA WinterVivern 2023](https://app.tidalcyber.com/references/d82e5170-b9be-5a60-a2a1-8df658740639)][[ESET WinterVivern 2023](https://app.tidalcyber.com/references/7def830a-22d8-55b6-a1e5-a6a63a8bbd5a)][[Proofpoint WinterVivern 2023](https://app.tidalcyber.com/references/45f638af-ad10-566e-9e4d-49385a79022f)]", + "meta": { + "group_attack_id": "G1035", + "observed_countries": [ + "IN", + "PL", + "UA", + "US" + ], + "source": "MITRE", + "target_categories": [ + "Government", + "NGOs", + "Telecommunications" + ] + }, + "related": [], + "uuid": "f18800ea-04fc-5a3a-8905-d3bbc460794f", + "value": "Winter Vivern" + }, { "description": "[WIRTE](https://app.tidalcyber.com/groups/73da066d-b25f-45ba-862b-1a69228c6baa) is a threat group that has been active since at least August 2018. [WIRTE](https://app.tidalcyber.com/groups/73da066d-b25f-45ba-862b-1a69228c6baa) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.[[Lab52 WIRTE Apr 2019](https://app.tidalcyber.com/references/884b675e-390c-4f6d-8cb7-5d97d84115e5)][[Kaspersky WIRTE November 2021](https://app.tidalcyber.com/references/143b4694-024d-49a5-be3c-d9ceca7295b2)]", "meta": { @@ -6425,7 +7006,7 @@ "value": "Wizard Spider" }, { - "description": "Yellow Liderc (aka Imperial Kitten, Tortoiseshell, TA456, Crimson Sandstorm) is a threat actor group based in Iran that is believed to be aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). Researchers have observed the group targeting victims in a range of sectors in the United States, Europe, the Middle East and Mediterranean, and South Asia.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"CURIUM\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nYellow Liderc (aka Imperial Kitten, Tortoiseshell, TA456, Crimson Sandstorm) is a threat actor group based in Iran that is believed to be aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). Researchers have observed the group targeting victims in a range of sectors in the United States, Europe, the Middle East and Mediterranean, and South Asia.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]", "meta": { "country": "IR", "group_attack_id": "G3025", @@ -6438,8 +7019,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f" + "3b73c532-ccfc-4d66-9830-ab76ef1bc47a" ], "target_categories": [ "Aerospace", @@ -6452,7 +7032,7 @@ }, "related": [], "uuid": "9e8620c4-a560-4081-aefc-118c7ec3fc22", - "value": "Yellow Liderc" + "value": "Yellow Liderc (Deprecated)" }, { "description": "[ZIRCONIUM](https://app.tidalcyber.com/groups/5e34409e-2f55-4384-b519-80747d02394c) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.[[Microsoft Targeting Elections September 2020](https://app.tidalcyber.com/references/1d7070fd-01be-4776-bb21-13368a6173b1)][[Check Point APT31 February 2021](https://app.tidalcyber.com/references/84ac99ef-106f-44e9-97f0-3eda90570932)]", diff --git a/clusters/tidal-references.json b/clusters/tidal-references.json index 8cbd3d7..b421607 100644 --- a/clusters/tidal-references.json +++ b/clusters/tidal-references.json @@ -219,6 +219,21 @@ "uuid": "3b85eaeb-6bf5-529b-80a4-439ceb6c5d6d", "value": "ACSC BlackCat Apr 2022" }, + { + "description": "CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.", + "meta": { + "date_accessed": "2024-05-20T00:00:00Z", + "date_published": "2023-01-01T00:00:00Z", + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf" + ], + "source": "MITRE", + "title": "2022 Falcon OverWatch Threat Hunting Report" + }, + "related": [], + "uuid": "cae1043a-2473-5b7e-b9ed-27d4f9c5b9b0", + "value": "Crowdstrike HuntReport 2022" + }, { "description": "IC3. (2022). 2022 Internet Crime Report. Retrieved August 18, 2023.", "meta": { @@ -264,6 +279,21 @@ "uuid": "514b704c-8668-4b61-8411-5b682e3b8471", "value": "ASD Royal Ransomware January 24 2023" }, + { + "description": "Unit 42. (2024, June 25). 2024-06-25-IOCs-from-Latrodectus-activity. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-06-25T00:00:00Z", + "refs": [ + "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-06-25-IOCs-from-Latrodectus-activity.txt" + ], + "source": "MITRE", + "title": "2024-06-25-IOCs-from-Latrodectus-activity" + }, + "related": [], + "uuid": "00f32246-e19b-5b20-b5c1-27b75c6667ca", + "value": "Palo Alto Latrodectus Activity June 2024" + }, { "description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.", "meta": { @@ -338,6 +368,21 @@ "uuid": "5d33fcb4-0f01-4b88-b1ee-dad6dcc867f4", "value": "Hybrid Analysis Icacls2 May 2018" }, + { + "description": "Bill Toulas. (2021, December 21). 2easy now a significant dark web marketplace for stolen data. Retrieved October 7, 2024.", + "meta": { + "date_accessed": "2024-10-07T00:00:00Z", + "date_published": "2021-12-21T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/" + ], + "source": "MITRE", + "title": "2easy now a significant dark web marketplace for stolen data" + }, + "related": [], + "uuid": "23ebd169-3ac6-5074-a238-a8e7d96f48ab", + "value": "Bleeping Computer 2easy 2021" + }, { "description": "Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.", "meta": { @@ -580,6 +625,21 @@ "uuid": "3a2dbd8b-54e3-406a-b77c-b6fae5541b6d", "value": "CISA AA21-200A APT40 July 2021" }, + { + "description": "CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.", + "meta": { + "date_accessed": "2024-08-06T00:00:00Z", + "date_published": "2022-09-23T00:00:00Z", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a" + ], + "source": "MITRE", + "title": "AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania" + }, + "related": [], + "uuid": "c5d37bde-52bc-525a-b25a-e097f77a924a", + "value": "CISA Iran Albanian Attacks September 2022" + }, { "description": "Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 1, 2022.", "meta": { @@ -716,6 +776,20 @@ "uuid": "25d46bc1-4c05-48d3-95f0-aa3ee1100bf9", "value": "Netskope Cloud Phishing" }, + { + "description": "Elastic. (n.d.). Abnormal Process ID or Lock File Created. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "refs": [ + "https://www.elastic.co/guide/en/security/current/abnormal-process-id-or-lock-file-created.html" + ], + "source": "MITRE", + "title": "Abnormal Process ID or Lock File Created" + }, + "related": [], + "uuid": "99091ea0-35b3-590d-bd6c-0cc20b6be8f9", + "value": "Elastic Abnormal Process ID or Lock File Created" + }, { "description": "Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.", "meta": { @@ -1011,12 +1085,12 @@ "value": "Application Bundle Manipulation Brandon Dalton" }, { - "description": "Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.", + "description": "Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2021-01-19T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2021-01-12T00:00:00Z", "refs": [ - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" + "https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" ], "source": "MITRE", "title": "Abusing cloud services to fly under the radar" @@ -1041,12 +1115,12 @@ "value": "Electron 2" }, { - "description": "Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019.", + "description": "Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024.", "meta": { - "date_accessed": "2019-03-05T00:00:00Z", + "date_accessed": "2024-09-23T00:00:00Z", "date_published": "2016-03-17T00:00:00Z", "refs": [ - "http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/" + "https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/" ], "source": "MITRE", "title": "Abusing GPO Permissions" @@ -1055,6 +1129,21 @@ "uuid": "18cc9426-9b51-46fa-9106-99688385ebe4", "value": "Harmj0y Abusing GPO Permissions" }, + { + "description": "Boal, Calum. (2020, January 28). Abusing Kerberos From Linux - An Overview of Available Tools. Retrieved September 17, 2024.", + "meta": { + "date_accessed": "2024-09-17T00:00:00Z", + "date_published": "2020-01-28T00:00:00Z", + "refs": [ + "https://www.onsecurity.io/blog/abusing-kerberos-from-linux/" + ], + "source": "MITRE", + "title": "Abusing Kerberos From Linux - An Overview of Available Tools" + }, + "related": [], + "uuid": "7d0870a0-db94-5213-a1b7-fc3c6557dcc0", + "value": "on security kerberos linux" + }, { "description": "Routin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018.", "meta": { @@ -1716,7 +1805,7 @@ "date_accessed": "2019-02-18T00:00:00Z", "date_published": "2018-01-09T00:00:00Z", "refs": [ - "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html" + "https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e" ], "source": "MITRE", "title": "A Death Match of Domain Generation Algorithms" @@ -1919,6 +2008,21 @@ "uuid": "ce960e76-848f-440d-9843-54773f7b11cf", "value": "Microsoft ADV170021 Dec 2017" }, + { + "description": "CISA. (2021, April 15). Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2021-04-15T00:00:00Z", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a" + ], + "source": "MITRE", + "title": "Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations" + }, + "related": [], + "uuid": "1e68b9ef-0aee-5d69-be72-3bc4d5cfa6b9", + "value": "CISA AA20-352A 2021" + }, { "description": "FireEye. (n.d.). Advanced Persistent Threat Groups. Retrieved August 3, 2018.", "meta": { @@ -1933,6 +2037,20 @@ "uuid": "5b6b909d-870a-4d14-85ec-6aa14e598740", "value": "FireEye APT Groups" }, + { + "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.", + "meta": { + "date_accessed": "2024-02-14T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/insights/apt-groups" + ], + "source": "MITRE", + "title": "Advanced Persistent Threats (APTs)" + }, + "related": [], + "uuid": "2d16615b-09fc-5925-8f59-6d20f334d236", + "value": "Mandiant Advanced Persistent Threats" + }, { "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved September 14, 2023.", "meta": { @@ -1948,20 +2066,6 @@ "uuid": "c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97", "value": "Mandiant APT Groups List" }, - { - "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.", - "meta": { - "date_accessed": "2024-02-14T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/insights/apt-groups" - ], - "source": "MITRE", - "title": "Advanced Persistent Threats (APTs)" - }, - "related": [], - "uuid": "2d16615b-09fc-5925-8f59-6d20f334d236", - "value": "Mandiant Advanced Persistent Threats" - }, { "description": "Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.", "meta": { @@ -2252,6 +2356,36 @@ "uuid": "d6644f88-d727-4f62-897a-bfa18f86380d", "value": "ATT Sidewinder January 2021" }, + { + "description": "Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.", + "meta": { + "date_accessed": "2024-05-22T00:00:00Z", + "date_published": "2023-11-06T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/" + ], + "source": "MITRE", + "title": "Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors" + }, + "related": [], + "uuid": "70fb43bd-f8e1-56a5-a0e9-884e85f16b10", + "value": "Unit42 Agrius 2023" + }, + { + "description": "Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.", + "meta": { + "date_accessed": "2024-05-21T00:00:00Z", + "date_published": "2023-05-23T00:00:00Z", + "refs": [ + "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/" + ], + "source": "MITRE", + "title": "AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS" + }, + "related": [], + "uuid": "b3034b5d-1fe5-5677-a2e8-9329141875d4", + "value": "CheckPoint Agrius 2023" + }, { "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.", "meta": { @@ -2645,6 +2779,35 @@ "uuid": "0043043a-4741-41c2-a6f2-f88d5caa8b7a", "value": "US-CERT Emotet Jul 2018" }, + { + "description": "LLMjacking: Stolen Cloud Credentials Used in New AI Attack. (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2024-05-06T00:00:00Z", + "refs": [ + "https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/" + ], + "source": "MITRE", + "title": "Alessandro Brucato" + }, + "related": [], + "uuid": "20d3128e-0900-5373-97f0-fcf26fc86271", + "value": "Sysdig LLMJacking 2024" + }, + { + "description": "Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "refs": [ + "https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/" + ], + "source": "MITRE", + "title": "Alexa-dns" + }, + "related": [], + "uuid": "154a5d86-4478-5cf5-ac39-19ac7581a440", + "value": "Alexa-dns" + }, { "description": "Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022.", "meta": { @@ -2660,6 +2823,36 @@ "uuid": "d9773aaf-e3ec-4ce3-b5c8-1ca3c4751622", "value": "AlKhaser Debug" }, + { + "description": "Microsoft. (2017, April 9). Allow log on through Remote Desktop Services. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2017-04-09T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services" + ], + "source": "MITRE", + "title": "Allow log on through Remote Desktop Services" + }, + "related": [], + "uuid": "2b460644-dc33-5cf4-a80a-8509d9f7e152", + "value": "Microsoft RDP Logons" + }, + { + "description": "Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce Love Story. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2015-03-23T00:00:00Z", + "refs": [ + "https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/" + ], + "source": "MITRE", + "title": "All You Need Is One – A ClickOnce Love Story" + }, + "related": [], + "uuid": "be17ae41-52d0-51bd-b48f-5c1d3c5c8dc1", + "value": "NetSPI ClickOnce" + }, { "description": "Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.", "meta": { @@ -2856,12 +3049,12 @@ "value": "Trend Micro S3 Exposed PII, 2017" }, { - "description": "Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved October 16, 2020.", + "description": "Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved September 16, 2024.", "meta": { - "date_accessed": "2020-10-16T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", "date_published": "2019-06-18T00:00:00Z", "refs": [ - "https://www.recordedfuture.com/cobalt-strike-servers/" + "https://www.recordedfuture.com/research/cobalt-strike-servers" ], "source": "MITRE", "title": "A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers" @@ -3276,6 +3469,21 @@ "uuid": "d1cd4f5b-253c-4833-8905-49fb58e7c016", "value": "McAfee GhostSecret" }, + { + "description": "Ryan Sherstobitoff. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved August 15, 2024.", + "meta": { + "date_accessed": "2024-08-15T00:00:00Z", + "date_published": "2018-04-24T00:00:00Z", + "refs": [ + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" + ], + "source": "MITRE", + "title": "Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide" + }, + "related": [], + "uuid": "8c88bc0d-102a-59ff-99e7-0d8a789c08a0", + "value": "McAfee-GhostSecret-fixurl" + }, { "description": "MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.", "meta": { @@ -3440,6 +3648,20 @@ "uuid": "f4efbcb5-494c-40e0-8734-5df1b92ec39c", "value": "Kaspersky Andariel Ransomware June 2021" }, + { + "description": "US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.", + "meta": { + "date_accessed": "2024-09-06T00:00:00Z", + "refs": [ + "https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" + ], + "source": "MITRE", + "title": "and Global Critical Infrastructure" + }, + "related": [], + "uuid": "c4dba764-d864-59bf-a80d-f1263bc904e4", + "value": "CISA GRU29155 2024" + }, { "description": "Pankaj Kohli. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved October 30, 2023.", "meta": { @@ -4083,21 +4305,6 @@ "uuid": "268e7ade-c0a8-5859-8b16-6fa8aa3b0cb7", "value": "Microsoft App Domains" }, - { - "description": "Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", - "meta": { - "date_accessed": "2014-11-18T00:00:00Z", - "date_published": "2008-06-01T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc510322(v=msdn.10)?redirectedfrom=MSDN" - ], - "source": "MITRE", - "title": "Application Lockdown with Software Restriction Policies" - }, - "related": [], - "uuid": "5dab4466-0871-486a-84ad-0e648b2e937d", - "value": "Microsoft Application Lockdown" - }, { "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "meta": { @@ -4113,6 +4320,21 @@ "uuid": "cae409ca-1c77-45df-88cd-c0998ac724ec", "value": "Corio 2008" }, + { + "description": "Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "meta": { + "date_accessed": "2014-11-18T00:00:00Z", + "date_published": "2008-06-01T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc510322(v=msdn.10)?redirectedfrom=MSDN" + ], + "source": "MITRE", + "title": "Application Lockdown with Software Restriction Policies" + }, + "related": [], + "uuid": "5dab4466-0871-486a-84ad-0e648b2e937d", + "value": "Microsoft Application Lockdown" + }, { "description": "Beechey, J.. (2014, November 18). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "meta": { @@ -4173,6 +4395,20 @@ "uuid": "2f1adf20-a4b8-48c1-861f-0a44271765d7", "value": "Penetration Testing Lab MSXSL July 2017" }, + { + "description": "William J. Burke IV. (n.d.). Appref-ms Abuse for Code Execution & C2. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "refs": [ + "https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894" + ], + "source": "MITRE", + "title": "Appref-ms Abuse for Code Execution & C2" + }, + "related": [], + "uuid": "1bb14130-f819-5666-ab57-8f96fd4e7b05", + "value": "Burke/CISA ClickOnce Paper" + }, { "description": "Microsoft. (2023, January 30). Approve or deny requests for Azure AD roles in Privileged Identity Management. Retrieved February 21, 2023.", "meta": { @@ -4429,21 +4665,6 @@ "uuid": "3dd67aae-7feb-4b07-a985-ccadc1b16f1d", "value": "Bitdefender APT28 Dec 2015" }, - { - "description": "Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.", - "meta": { - "date_accessed": "2017-03-27T00:00:00Z", - "date_published": "2017-03-27T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" - ], - "source": "MITRE", - "title": "APT29 Domain Fronting With TOR" - }, - "related": [], - "uuid": "3e013b07-deaf-4387-acd7-2d0565d196a9", - "value": "FireEye APT29 Domain Fronting" - }, { "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.", "meta": { @@ -4459,6 +4680,21 @@ "uuid": "1d919991-bc87-41bf-9e58-edf1b3806bb8", "value": "FireEye APT29 Domain Fronting With TOR March 2017" }, + { + "description": "Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.", + "meta": { + "date_accessed": "2017-03-27T00:00:00Z", + "date_published": "2017-03-27T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + ], + "source": "MITRE", + "title": "APT29 Domain Fronting With TOR" + }, + "related": [], + "uuid": "3e013b07-deaf-4387-acd7-2d0565d196a9", + "value": "FireEye APT29 Domain Fronting" + }, { "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", "meta": { @@ -4654,6 +4890,20 @@ "uuid": "8a44368f-3348-4817-aca7-81bfaca5ae6d", "value": "FireEye APT40 March 2019" }, + { + "description": "Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.", + "meta": { + "date_accessed": "2024-06-11T00:00:00Z", + "refs": [ + "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" + ], + "source": "MITRE", + "title": "APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION" + }, + "related": [], + "uuid": "599f4411-6829-5a2d-865c-ac59e80afe83", + "value": "apt41_mandiant" + }, { "description": "Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan Lepore. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved August 2, 2024.", "meta": { @@ -4670,6 +4920,36 @@ "uuid": "34ee3a7c-27c0-492f-a3c6-a5a3e86915f0", "value": "Mandiant APT41 July 18 2024" }, + { + "description": "Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.", + "meta": { + "date_accessed": "2024-09-16T00:00:00Z", + "date_published": "2024-07-18T00:00:00Z", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" + ], + "source": "MITRE", + "title": "APT41 Has Arisen From the DUST" + }, + "related": [], + "uuid": "33bb9f8a-db9d-5dda-b4ae-2ba7fee0a0ae", + "value": "Google Cloud APT41 2024" + }, + { + "description": "DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.", + "meta": { + "date_accessed": "2024-06-13T00:00:00Z", + "date_published": "2022-12-24T00:00:00Z", + "refs": [ + "https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" + ], + "source": "MITRE", + "title": "APT41 — The spy who failed to encrypt me" + }, + "related": [], + "uuid": "fad90e96-93fd-59bd-970e-f0b37cac331d", + "value": "apt41_dcsocytec_dec2022" + }, { "description": "Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.", "meta": { @@ -4715,6 +4995,35 @@ "uuid": "53bab956-be5b-4d8d-b553-9926bc5d9fee", "value": "Mandiant Crooked Charms August 12 2022" }, + { + "description": "Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.", + "meta": { + "date_accessed": "2024-05-03T00:00:00Z", + "date_published": "2024-03-14T00:00:00Z", + "refs": [ + "https://services.google.com/fh/files/misc/apt43-report-en.pdf" + ], + "source": "MITRE", + "title": "APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations" + }, + "related": [], + "uuid": "8ac3fd0a-4a93-5262-9ac2-f676c5d11fda", + "value": "Mandiant APT43 March 2024" + }, + { + "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.", + "meta": { + "date_accessed": "2024-07-11T00:00:00Z", + "refs": [ + "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" + ], + "source": "MITRE", + "title": "APT44: Unearthing Sandworm" + }, + "related": [], + "uuid": "cc03d668-e4d9-5dc1-b365-203db84938f2", + "value": "mandiant_apt44_unearthing_sandworm" + }, { "description": "Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart. (2024, July 25). APT45: North Korea’s Digital Military Machine. Retrieved July 26, 2024.", "meta": { @@ -4792,7 +5101,7 @@ "value": "360 Machete Sep 2020" }, { - "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..", "meta": { "date_accessed": "2020-08-24T00:00:00Z", "date_published": "2020-04-15T00:00:00Z", @@ -5271,6 +5580,21 @@ "uuid": "15a4d429-28c3-52be-aeb8-d94ad2743866", "value": "spamhaus-malvertising" }, + { + "description": "Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2022-03-01T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails" + ], + "source": "MITRE", + "title": "Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement" + }, + "related": [], + "uuid": "313e8333-0512-50d4-a7f6-4294dc935003", + "value": "Lua Proofpoint Sunseed" + }, { "description": "Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December 8, 2017.", "meta": { @@ -5529,6 +5853,21 @@ "uuid": "a6311a66-bb36-4cad-a98f-2b0b89aafa3d", "value": "The DFIR Report Truebot June 12 2023" }, + { + "description": "The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out. Retrieved May 31, 2024.", + "meta": { + "date_accessed": "2024-05-31T00:00:00Z", + "date_published": "2023-06-12T00:00:00Z", + "refs": [ + "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/" + ], + "source": "MITRE", + "title": "A Truly Graceful Wipe Out" + }, + "related": [], + "uuid": "b65988a7-3469-54d2-804c-e8ce1f698b5c", + "value": "DFIR Report Trickbot June 2023" + }, { "description": "Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021.", "meta": { @@ -5726,12 +6065,12 @@ "value": "SANS Attacking Kerberos Nov 2014" }, { - "description": "Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies. Retrieved July 8, 2019.", + "description": "Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2019-07-08T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-07-13T00:00:00Z", "refs": [ - "https://blog.netspi.com/attacking-sql-server-clr-assemblies/" + "https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/" ], "source": "MITRE", "title": "Attacking SQL Server CLR Assemblies" @@ -6113,6 +6452,21 @@ "uuid": "4e95ad81-cbc4-4f66-ba95-fb781d7d9c3c", "value": "Microsoft Audit Registry July 2012" }, + { + "description": "Wadhwa-Brown, Tim. (2022). audit.rules. Retrieved September 17, 2024.", + "meta": { + "date_accessed": "2024-09-17T00:00:00Z", + "date_published": "2022-01-01T00:00:00Z", + "refs": [ + "https://github.com/CiscoCXSecurity/linikatz/blob/master/blue/audit/audit.rules" + ], + "source": "MITRE", + "title": "audit.rules" + }, + "related": [], + "uuid": "b9f940cf-74fb-5a33-992c-82bdb538adbb", + "value": "audits linikatz" + }, { "description": "Paganini, P. (2012, September 9). Elderwood project, who is behind Op. Aurora and ongoing attacks?. Retrieved February 13, 2018.", "meta": { @@ -6127,6 +6481,21 @@ "uuid": "ebfc56c5-0490-4b91-b49f-548c00a59162", "value": "Security Affairs Elderwood Sept 2012" }, + { + "description": "Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’ WiFi attack on plane. Retrieved September 17, 2024.", + "meta": { + "date_accessed": "2024-09-17T00:00:00Z", + "date_published": "2024-07-01T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/" + ], + "source": "MITRE", + "title": "Australian charged for ‘Evil Twin’ WiFi attack on plane" + }, + "related": [], + "uuid": "b50c354b-cdca-57e6-b8d6-a43ee334f091", + "value": "Australia ‘Evil Twin’" + }, { "description": "NIST. (n.d.). Authentication. Retrieved January 30, 2020.", "meta": { @@ -6391,12 +6760,12 @@ "value": "AWS Root User" }, { - "description": "Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved December 16, 2020.", + "description": "Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved September 27, 2024.", "meta": { - "date_accessed": "2020-12-16T00:00:00Z", + "date_accessed": "2024-09-27T00:00:00Z", "date_published": "2017-01-28T00:00:00Z", "refs": [ - "https://github.com/damianh/aws-adfs-credential-generator" + "https://github.com/pvanbuijtene/aws-adfs-credential-generator" ], "source": "MITRE", "title": "AWS-ADFS-Credential-Generator" @@ -7756,6 +8125,20 @@ "uuid": "752ad355-0f10-4c8d-bad8-42bf2fc75fa0", "value": "Google Cloud Storage Best Practices, 2019" }, + { + "description": "AWS. (n.d.). Best practices for the management account. Retrieved October 16, 2024.", + "meta": { + "date_accessed": "2024-10-16T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html" + ], + "source": "MITRE", + "title": "Best practices for the management account" + }, + "related": [], + "uuid": "f20b5870-d82d-5c50-893a-73248c8f5900", + "value": "AWS Management Account Best Practices" + }, { "description": "Johann Rehberger. (2020, September 23). Beware of the Shadowbunny - Using virtual machines to persist and evade detections. Retrieved September 22, 2021.", "meta": { @@ -7832,6 +8215,21 @@ "uuid": "bdcdfe9e-1f22-4472-9a86-faefcb5c5618", "value": "Hexacorn Logon Scripts" }, + { + "description": "Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5. Retrieved August 14, 2024.", + "meta": { + "date_accessed": "2024-08-14T00:00:00Z", + "date_published": "2013-12-08T00:00:00Z", + "refs": [ + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/" + ], + "source": "MITRE", + "title": "Beyond good ol’ Run key, Part 5" + }, + "related": [], + "uuid": "bbe0690e-f368-5715-8a41-aa95836a5e4c", + "value": "Hexacorn DLL Hijacking" + }, { "description": "Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62. Retrieved July 3, 2017.", "meta": { @@ -7940,6 +8338,20 @@ "uuid": "df471757-2ce0-48a7-922f-a84c57704914", "value": "CrowdStrike Ryuk January 2019" }, + { + "description": "Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "refs": [ + "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html" + ], + "source": "MITRE", + "title": "Binary Executed from Shared Memory Directory" + }, + "related": [], + "uuid": "025912f5-531c-5a14-b300-e42f00077264", + "value": "Elastic Binary Executed from Shared Memory Directory" + }, { "description": "OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.", "meta": { @@ -8014,6 +8426,21 @@ "uuid": "dd6032fb-8913-4593-81b9-86d1239e01f4", "value": "Ge 2011" }, + { + "description": "Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft Graph API for C&C communication. Retrieved July 1, 2024.", + "meta": { + "date_accessed": "2024-07-01T00:00:00Z", + "date_published": "2024-05-02T00:00:00Z", + "refs": [ + "https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication" + ], + "source": "MITRE", + "title": "BirdyClient malware leverages Microsoft Graph API for C&C communication" + }, + "related": [], + "uuid": "a55197e2-3ed7-5b6f-8ab5-06218c2226a4", + "value": "Broadcom BirdyClient Microsoft Graph API 2024" + }, { "description": "Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.", "meta": { @@ -8181,6 +8608,21 @@ "uuid": "dc7d882b-4e83-42da-8e2f-f557b675930a", "value": "Trend Micro Pikabot January 9 2024" }, + { + "description": "Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.", + "meta": { + "date_accessed": "2024-07-17T00:00:00Z", + "date_published": "2024-01-09T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" + ], + "source": "MITRE", + "title": "Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign" + }, + "related": [], + "uuid": "a2a22246-d49e-5847-9d20-dac64f1df3ea", + "value": "TrendMicro Pikabot 2024" + }, { "description": "Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.", "meta": { @@ -8364,21 +8806,6 @@ "uuid": "481a0106-d5b6-532c-8f5b-6c0c477185f4", "value": "Sophos BlackCat Jul 2022" }, - { - "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.", - "meta": { - "date_accessed": "2020-06-10T00:00:00Z", - "date_published": "2016-01-03T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - ], - "source": "MITRE", - "title": "BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry" - }, - "related": [], - "uuid": "a0103079-c966-46b6-8871-c01f7f0eea4c", - "value": "ESET BlackEnergy Jan 2016" - }, { "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", "meta": { @@ -8394,6 +8821,21 @@ "uuid": "4d626eb9-3722-4aa4-b95e-1650cc2865c2", "value": "ESEST Black Energy Jan 2016" }, + { + "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.", + "meta": { + "date_accessed": "2020-06-10T00:00:00Z", + "date_published": "2016-01-03T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + ], + "source": "MITRE", + "title": "BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry" + }, + "related": [], + "uuid": "a0103079-c966-46b6-8871-c01f7f0eea4c", + "value": "ESET BlackEnergy Jan 2016" + }, { "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "meta": { @@ -8578,12 +9020,12 @@ "value": "Technospot Chrome Extensions GP" }, { - "description": "Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018.", + "description": "Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2018-01-22T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-11-26T00:00:00Z", "refs": [ - "https://twitter.com/Evi1cg/status/935027922397573120" + "https://x.com/Evi1cg/status/935027922397573120" ], "source": "MITRE", "title": "block cmd.exe ? try this :" @@ -8623,19 +9065,20 @@ "value": "GitHub Bloodhound" }, { - "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", + "description": "PwC Threat Intelligence. (2022, December 6). Blue Callisto orbits around US Laboratories in 2022. Retrieved October 1, 2024.", "meta": { - "date_accessed": "2019-11-21T00:00:00Z", - "date_published": "2018-10-14T00:00:00Z", + "date_accessed": "2024-10-01T00:00:00Z", + "date_published": "2022-12-06T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html" ], - "source": "MITRE", - "title": "Blue Cloud of Death: Red Teaming Azure" + "source": "Tidal Cyber", + "title": "Blue Callisto orbits around US Laboratories in 2022" }, "related": [], - "uuid": "39b0adf6-c71e-4501-b8bb-fab82718486b", - "value": "Blue Cloud of Death Video" + "uuid": "ab48a205-ca06-4328-96a4-876007024a7d", + "value": "PwC Blue Callisto December 6 2022" }, { "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.", @@ -8652,6 +9095,21 @@ "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c", "value": "Blue Cloud of Death" }, + { + "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", + "meta": { + "date_accessed": "2019-11-21T00:00:00Z", + "date_published": "2018-10-14T00:00:00Z", + "refs": [ + "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" + ], + "source": "MITRE", + "title": "Blue Cloud of Death: Red Teaming Azure" + }, + "related": [], + "uuid": "39b0adf6-c71e-4501-b8bb-fab82718486b", + "value": "Blue Cloud of Death Video" + }, { "description": "SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.", "meta": { @@ -8755,20 +9213,6 @@ "uuid": "835c9e5d-b291-43d9-9b8a-2978aa8c8cd3", "value": "FireEye BOOTRASH SANS" }, - { - "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019", - "meta": { - "date_accessed": "2019-10-22T00:00:00Z", - "refs": [ - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - ], - "source": "MITRE", - "title": "Booz Allen Hamilton" - }, - "related": [], - "uuid": "7f0acd33-602e-5f07-a1ae-a87e3c8f2eb5", - "value": "Booz Allen Hamilton" - }, { "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.", "meta": { @@ -8814,6 +9258,21 @@ "uuid": "01c8337f-614b-5f63-870f-5c880b390922", "value": "Sandfly BPFDoor 2022" }, + { + "description": "Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2023-05-10T00:00:00Z", + "refs": [ + "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game" + ], + "source": "MITRE", + "title": "BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game" + }, + "related": [], + "uuid": "c246b4da-75fb-5b41-ba9c-c0eb1b261e37", + "value": "Deep Instinct BPFDoor 2023" + }, { "description": "Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022.", "meta": { @@ -9627,21 +10086,6 @@ "uuid": "74df644a-06b8-4331-85a3-932358d65b62", "value": "Hybrid Analysis Icacls1 June 2018" }, - { - "description": "Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.", - "meta": { - "date_accessed": "2020-02-21T00:00:00Z", - "date_published": "2016-08-21T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)" - ], - "source": "MITRE", - "title": "Cached and Stored Credentials Technical Overview" - }, - "related": [], - "uuid": "590ea63f-f800-47e4-8d39-df11a184ba84", - "value": "Microsoft - Cached Creds" - }, { "description": "Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.", "meta": { @@ -9657,6 +10101,21 @@ "uuid": "c949a29b-bb31-4bd7-a967-ddd48c7efb8e", "value": "Microsoft Credential Manager store" }, + { + "description": "Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.", + "meta": { + "date_accessed": "2020-02-21T00:00:00Z", + "date_published": "2016-08-21T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)" + ], + "source": "MITRE", + "title": "Cached and Stored Credentials Technical Overview" + }, + "related": [], + "uuid": "590ea63f-f800-47e4-8d39-df11a184ba84", + "value": "Microsoft - Cached Creds" + }, { "description": "Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.", "meta": { @@ -9718,21 +10177,6 @@ "uuid": "7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b", "value": "Cadet Blizzard emerges as novel threat actor" }, - { - "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", - "meta": { - "date_accessed": "2022-05-27T00:00:00Z", - "date_published": "2022-04-06T00:00:00Z", - "refs": [ - "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" - ], - "source": "MITRE", - "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" - }, - "related": [], - "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", - "value": "Cado Security Denonia" - }, { "description": "jbowen. (2022, April 3). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved April 11, 2024.", "meta": { @@ -9749,6 +10193,21 @@ "uuid": "b276c28d-1488-4a21-86d1-7acdfd77794b", "value": "Cado Denonia April 3 2022" }, + { + "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", + "meta": { + "date_accessed": "2022-05-27T00:00:00Z", + "date_published": "2022-04-06T00:00:00Z", + "refs": [ + "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" + ], + "source": "MITRE", + "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" + }, + "related": [], + "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", + "value": "Cado Security Denonia" + }, { "description": "William Turton. (2023, September 13). Caesars Entertainment Paid Millions to Hackers in Attack. Retrieved September 14, 2023.", "meta": { @@ -9765,6 +10224,22 @@ "uuid": "6915c003-7c8b-451c-8fb1-3541f00c14fb", "value": "Caesars Scattered Spider September 13 2023" }, + { + "description": "Felix Aimé, Maxime A., Sekoia TDR. (2022, December 5). Calisto show interests into entities involved in Ukraine war support. Retrieved October 1, 2024.", + "meta": { + "date_accessed": "2024-10-01T00:00:00Z", + "date_published": "2022-12-05T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/" + ], + "source": "Tidal Cyber", + "title": "Calisto show interests into entities involved in Ukraine war support" + }, + "related": [], + "uuid": "02fed1d1-b8a9-4bca-9e96-2cffe6f7ba89", + "value": "Sekoia Calisto December 5 2022" + }, { "description": "Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.", "meta": { @@ -9797,12 +10272,12 @@ "value": "CERTFR-2023-CTI-009" }, { - "description": "FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021.", + "description": "FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2021-09-29T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-07-27T00:00:00Z", "refs": [ - "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do" + "https://fsiceat.tistory.com/2" ], "source": "MITRE", "title": "Campaign Rifle - Andariel, the Maiden of Anguish" @@ -9828,19 +10303,19 @@ "value": "Check Point Research January 5 2022" }, { - "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.", + "description": "Sergey Polak. (2004, August). Capturing Windows Passwords using the Network Provider API. Retrieved May 17, 2024.", "meta": { - "date_accessed": "2018-08-23T00:00:00Z", - "date_published": "2015-02-01T00:00:00Z", + "date_accessed": "2024-05-17T00:00:00Z", + "date_published": "2004-08-01T00:00:00Z", "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" + "https://www.blackhat.com/presentations/win-usa-04/bh-win-04-polak/bh-win-04-polak2.pdf" ], - "source": "MITRE, Tidal Cyber", - "title": "CARBANAK APT THE GREAT BANK ROBBERY" + "source": "MITRE", + "title": "Capturing Windows Passwords using the Network Provider API" }, "related": [], - "uuid": "2f7e77db-fe39-4004-9945-3c8943708494", - "value": "Kaspersky Carbanak" + "uuid": "ab5872b0-a755-5d85-8750-0b22f00ccb37", + "value": "Polak NPPSPY 2004" }, { "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.", @@ -9857,6 +10332,21 @@ "uuid": "053a2bbb-5509-4aba-bbd7-ccc3d8074291", "value": "KasperskyCarbanak" }, + { + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.", + "meta": { + "date_accessed": "2018-08-23T00:00:00Z", + "date_published": "2015-02-01T00:00:00Z", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" + ], + "source": "MITRE, Tidal Cyber", + "title": "CARBANAK APT THE GREAT BANK ROBBERY" + }, + "related": [], + "uuid": "2f7e77db-fe39-4004-9945-3c8943708494", + "value": "Kaspersky Carbanak" + }, { "description": "Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.", "meta": { @@ -9888,12 +10378,12 @@ "value": "Trend Micro Carberp February 2014" }, { - "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2020-07-15T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2011-02-28T00:00:00Z", "refs": [ - "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" + "https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" ], "source": "MITRE", "title": "Carberp - a modular information stealing trojan" @@ -9962,6 +10452,20 @@ "uuid": "8d978b94-75c9-46a1-812a-bafe3396eda9", "value": "PaloAlto CardinalRat Apr 2017" }, + { + "description": "Carl Hurd. (2019, March 26) VPNFilter Deep Dive. Retrieved March 28, 2019", + "meta": { + "date_accessed": "2019-03-28T00:00:00Z", + "refs": [ + "https://www.youtube.com/watch?v=yuZazP22rpI" + ], + "source": "MITRE", + "title": "Carl Hurd March 2019" + }, + "related": [], + "uuid": "8a4e28f9-b0ba-56ad-a957-b5913bf9a7d5", + "value": "Carl Hurd March 2019" + }, { "description": "ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.", "meta": { @@ -10294,12 +10798,12 @@ "value": "FireEye CFR Watering Hole 2012" }, { - "description": "Glyer, C. (2018, April 14). @cglyer Status Update. Retrieved October 11, 2018.", + "description": "Glyer, C. (2018, April 14). @cglyer Status Update. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2018-10-11T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2018-04-14T00:00:00Z", "refs": [ - "https://twitter.com/cglyer/status/985311489782374400" + "https://x.com/cglyer/status/985311489782374400" ], "source": "MITRE", "title": "@cglyer Status Update" @@ -10354,12 +10858,12 @@ "value": "Securelist Remexi Jan 2019" }, { - "description": "The DFIR Report. (2022, March 1). \"Change RDP port\" #ContiLeaks. Retrieved March 1, 2022.", + "description": "The DFIR Report. (2022, March 1). \"Change RDP port\" #ContiLeaks. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2022-03-01T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2022-03-01T00:00:00Z", "refs": [ - "https://twitter.com/TheDFIRReport/status/1498657772254240768" + "https://x.com/TheDFIRReport/status/1498657772254240768" ], "source": "MITRE", "title": "\"Change RDP port\" #ContiLeaks" @@ -10621,6 +11125,22 @@ "uuid": "6da7eb8a-aab4-41ea-a0b7-5313d88cbe91", "value": "Recorded Future RedEcho Feb 2021" }, + { + "description": "Sarah Krouse, Robert McMillan, Dustin Volz. (2024, September 26). China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack. Retrieved October 24, 2024.", + "meta": { + "date_accessed": "2024-10-24T00:00:00Z", + "date_published": "2024-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835" + ], + "source": "Tidal Cyber", + "title": "China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack" + }, + "related": [], + "uuid": "15b4c5c3-edf2-4f6b-b398-62767cfabf5a", + "value": "WSJ Salt Typhoon September 26 2024" + }, { "description": "Sygnia Team. (2024, June 17). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved June 20, 2024.", "meta": { @@ -10761,6 +11281,21 @@ "uuid": "41fc3724-85a0-4ad0-9494-47f89f3b079b", "value": "The Record APT31 Router Hacks" }, + { + "description": "Cimpanu, Catalin. (2021, July 20). Chinese hacking group APT31 uses mesh of home routers to disguise attacks. Retrieved July 8, 2024.", + "meta": { + "date_accessed": "2024-07-08T00:00:00Z", + "date_published": "2021-07-20T00:00:00Z", + "refs": [ + "https://therecord.media/chinese-hacking-group-apt31-uses-mesh-of-home-routers-to-disguise-attacks" + ], + "source": "MITRE", + "title": "Chinese hacking group APT31 uses mesh of home routers to disguise attacks" + }, + "related": [], + "uuid": "67b5e2ef-21cc-52f6-95c9-88a8cdcbe74e", + "value": "ORB APT31" + }, { "description": "Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.", "meta": { @@ -10777,12 +11312,12 @@ "value": "Dark Reading Codoso Feb 2015" }, { - "description": "INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.", + "description": "INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 16, 2024.", "meta": { - "date_accessed": "2022-09-02T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", "date_published": "2021-07-08T00:00:00Z", "refs": [ - "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan" + "https://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan" ], "source": "MITRE", "title": "Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling" @@ -11279,6 +11814,21 @@ "uuid": "4115ab53-751c-4016-9151-a55eab7d6ddf", "value": "Clearing quarantine attribute" }, + { + "description": "Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024.", + "meta": { + "date_accessed": "2024-05-17T00:00:00Z", + "date_published": "2022-08-16T00:00:00Z", + "refs": [ + "https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy" + ], + "source": "MITRE", + "title": "Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY" + }, + "related": [], + "uuid": "833c22ac-4f65-521a-9eda-8d22e255577e", + "value": "Huntress NPPSPY 2022" + }, { "description": "Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved March 30, 2023.", "meta": { @@ -11294,6 +11844,51 @@ "uuid": "df1f7379-38c3-5ca9-8333-d684022c000c", "value": "NPPSPY - Huntress" }, + { + "description": "Microsoft. (2023, March 9). ClickOnce and Authenticode. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2023-03-09T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-and-authenticode?view=vs-2022" + ], + "source": "MITRE", + "title": "ClickOnce and Authenticode" + }, + "related": [], + "uuid": "5e5c02cf-02fe-591a-b597-778999ab31c4", + "value": "Microsoft Learn ClickOnce and Authenticode" + }, + { + "description": "William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE IN: When .appref-ms abuse is operating as intended. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2019-08-07T00:00:00Z", + "refs": [ + "https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894" + ], + "source": "MITRE", + "title": "CLICKONCE AND YOU’RE IN: When .appref-ms abuse is operating as intended" + }, + "related": [], + "uuid": "5a1b4ee9-1c22-5f12-9fd9-723cc0055f4b", + "value": "Burke/CISA ClickOnce BlackHat" + }, + { + "description": "Microsoft. (2023, September 14). ClickOnce security and deployment. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022" + ], + "source": "MITRE", + "title": "ClickOnce security and deployment" + }, + "related": [], + "uuid": "2e91b430-81e7-54e1-8e8c-763f71146e0c", + "value": "Microsoft Learn ClickOnce" + }, { "description": "LOLBAS. (2018, May 25). CL_Invocation.ps1. Retrieved December 4, 2023.", "meta": { @@ -11373,19 +11968,19 @@ "value": "CL_Mutexverifiers.ps1 - LOLBAS Project" }, { - "description": "Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.", + "description": "Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.", "meta": { - "date_accessed": "2021-05-10T00:00:00Z", - "date_published": "2019-08-01T00:00:00Z", + "date_accessed": "2024-09-24T00:00:00Z", + "date_published": "2024-06-18T00:00:00Z", "refs": [ - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/" + "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "source": "MITRE", - "title": "Clop Ransomware" + "title": "Cloaked and Covert: Uncovering UNC3886 Espionage Operations" }, "related": [], - "uuid": "458141bd-7dd2-41fd-82e8-7ea2e4a477ab", - "value": "Mcafee Clop Aug 2019" + "uuid": "77b32efe-b936-5541-b0fb-aa442a7d11b7", + "value": "Google Cloud Mandiant UNC3886 2024" }, { "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.", @@ -11401,6 +11996,21 @@ "uuid": "f54d682d-100e-41bb-96be-6a79ea422066", "value": "Cybereason Clop Dec 2020" }, + { + "description": "Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.", + "meta": { + "date_accessed": "2021-05-10T00:00:00Z", + "date_published": "2019-08-01T00:00:00Z", + "refs": [ + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/" + ], + "source": "MITRE", + "title": "Clop Ransomware" + }, + "related": [], + "uuid": "458141bd-7dd2-41fd-82e8-7ea2e4a477ab", + "value": "Mcafee Clop Aug 2019" + }, { "description": "Sergiu Gatlan. (2023, February 10). Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day. Retrieved May 8, 2023.", "meta": { @@ -11492,6 +12102,20 @@ "uuid": "dddf33ea-d074-4bc4-98d2-39b7e843e37d", "value": "Office 265 Azure Domain Availability" }, + { + "description": "Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through S3 Lifecycle Rule. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "refs": [ + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/" + ], + "source": "MITRE", + "title": "CloudTrail Logs Impairment Through S3 Lifecycle Rule" + }, + "related": [], + "uuid": "08efef52-40f6-5c76-a1b6-76ac1b7f423b", + "value": "Datadog S3 Lifecycle CloudTrail Logs" + }, { "description": "Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.", "meta": { @@ -11630,12 +12254,12 @@ "value": "Cmstp.exe - LOLBAS Project" }, { - "description": "Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved April 11, 2018.", + "description": "Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2018-04-11T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2018-01-30T00:00:00Z", "refs": [ - "https://twitter.com/NickTyrer/status/958450014111633408" + "https://x.com/NickTyrer/status/958450014111633408" ], "source": "MITRE", "title": "CMSTP.exe - remote .sct execution applocker bypass" @@ -11747,6 +12371,21 @@ "uuid": "eb7abdb2-b270-46ae-a950-5a93d09b3565", "value": "Cobalt Strike Manual 4.3 November 2020" }, + { + "description": "Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "date_published": "2022-03-16T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/" + ], + "source": "MITRE", + "title": "Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect" + }, + "related": [], + "uuid": "49cf201e-d3da-5ba9-98df-edc50514a612", + "value": "Malleable-C2-U42" + }, { "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.", "meta": { @@ -12320,6 +12959,21 @@ "uuid": "a7078eee-5478-4a93-9a7e-8db1d020e1da", "value": "MDMProfileConfigMacOS" }, + { + "description": "Microsoft Azure. (2024, July 3). Configure a lifecycle management policy. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2024-07-03T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal" + ], + "source": "MITRE", + "title": "Configure a lifecycle management policy" + }, + "related": [], + "uuid": "7ac4c481-7798-53b3-b7ad-bc09a40f99b7", + "value": "Azure Storage Lifecycles" + }, { "description": "Microsoft. (2023, August 29). Configure and approve just-in-time access for Azure Managed Applications. Retrieved September 21, 2023.", "meta": { @@ -12423,6 +13077,21 @@ "uuid": "a74ffa28-8a2e-4bfd-bc66-969b463bebd9", "value": "Kubernetes Service Accounts" }, + { + "description": "Microsoft. (2023, August 4). Configure the ClickOnce trust prompt behavior. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2023-08-04T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior?view=vs-2022&tabs=csharp" + ], + "source": "MITRE", + "title": "Configure the ClickOnce trust prompt behavior" + }, + "related": [], + "uuid": "3a75c7d6-b3f3-5f25-bbcb-e0a18982dfed", + "value": "Microsoft Learn ClickOnce Config" + }, { "description": "Microsoft. (n.d.). Configure Timeout and Reconnection Settings for Remote Desktop Services Sessions. Retrieved December 11, 2017.", "meta": { @@ -12437,36 +13106,6 @@ "uuid": "ccd0d241-4ff7-4a15-b2b4-06945980c6bf", "value": "Windows RDP Sessions" }, - { - "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.", - "meta": { - "date_accessed": "2015-02-13T00:00:00Z", - "date_published": "2013-07-31T00:00:00Z", - "refs": [ - "https://technet.microsoft.com/en-us/library/dn408187.aspx" - ], - "source": "MITRE", - "title": "Configuring Additional LSA Protection" - }, - "related": [], - "uuid": "3ad49746-4e42-4663-a49e-ae64152b9463", - "value": "Microsoft LSA" - }, - { - "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.", - "meta": { - "date_accessed": "2017-11-27T00:00:00Z", - "date_published": "2014-03-12T00:00:00Z", - "refs": [ - "https://technet.microsoft.com/library/dn408187.aspx" - ], - "source": "MITRE", - "title": "Configuring Additional LSA Protection" - }, - "related": [], - "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", - "value": "Microsoft LSA Protection Mar 2014" - }, { "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.", "meta": { @@ -12482,6 +13121,36 @@ "uuid": "4adfc72b-cd32-46a6-bdf4-a4c2c6cffa73", "value": "Microsoft Configure LSA" }, + { + "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.", + "meta": { + "date_accessed": "2017-11-27T00:00:00Z", + "date_published": "2014-03-12T00:00:00Z", + "refs": [ + "https://technet.microsoft.com/library/dn408187.aspx" + ], + "source": "MITRE", + "title": "Configuring Additional LSA Protection" + }, + "related": [], + "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", + "value": "Microsoft LSA Protection Mar 2014" + }, + { + "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.", + "meta": { + "date_accessed": "2015-02-13T00:00:00Z", + "date_published": "2013-07-31T00:00:00Z", + "refs": [ + "https://technet.microsoft.com/en-us/library/dn408187.aspx" + ], + "source": "MITRE", + "title": "Configuring Additional LSA Protection" + }, + "related": [], + "uuid": "3ad49746-4e42-4663-a49e-ae64152b9463", + "value": "Microsoft LSA" + }, { "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.", "meta": { @@ -12496,6 +13165,20 @@ "uuid": "bd310606-f472-4eda-a696-50a3a25f07b3", "value": "Configuring Data Access audit logs" }, + { + "description": "Cisco. (n.d.). Configuring DHCP Snooping. Retrieved September 17, 2024.", + "meta": { + "date_accessed": "2024-09-17T00:00:00Z", + "refs": [ + "https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html#wp1120427" + ], + "source": "MITRE", + "title": "Configuring DHCP Snooping" + }, + "related": [], + "uuid": "cc5eda1b-5e64-52e8-b98f-8df2f3e10475", + "value": "cisco dhcp snooping" + }, { "description": "Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017.", "meta": { @@ -12766,6 +13449,21 @@ "uuid": "5ef0ad9d-f34d-4771-a595-7ee4994f6c91", "value": "Cybleinc Conti January 2020" }, + { + "description": "Microsoft Developer Support. (2020, May 9). Control Access to Power Apps and Power Automate with Azure AD Conditional Access Policies. Retrieved July 1, 2024.", + "meta": { + "date_accessed": "2024-07-01T00:00:00Z", + "date_published": "2020-05-09T00:00:00Z", + "refs": [ + "https://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/" + ], + "source": "MITRE", + "title": "Control Access to Power Apps and Power Automate with Azure AD Conditional Access Policies" + }, + "related": [], + "uuid": "d198608c-2676-5f44-bbc8-5455c2b36cdb", + "value": "Microsoft Developer Support Power Apps Conditional Access" + }, { "description": "LOLBAS. (2018, May 25). Control.exe. Retrieved December 4, 2023.", "meta": { @@ -13022,12 +13720,12 @@ "value": "F-Secure Cosmicduke" }, { - "description": "Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved November 16, 2020.", + "description": "Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2020-11-16T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2020-10-02T00:00:00Z", "refs": [ - "https://twitter.com/craiu/status/1311920398259367942" + "https://x.com/craiu/status/1311920398259367942" ], "source": "MITRE", "title": "Costin Raiu Twitter IAmTheKing SlothfulMedia" @@ -13051,6 +13749,21 @@ "uuid": "6d568141-eb54-5001-b880-ae8ac1156746", "value": "Google Iran Threats October 2021" }, + { + "description": "cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.", + "meta": { + "date_accessed": "2024-09-04T00:00:00Z", + "date_published": "2021-04-21T00:00:00Z", + "refs": [ + "https://github.com/cobbr/Covenant" + ], + "source": "MITRE", + "title": "Covenant" + }, + "related": [], + "uuid": "b717c3ae-8ae0-53c9-90ba-a34cf7694f3c", + "value": "Github Covenant" + }, { "description": "Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.", "meta": { @@ -13306,11 +14019,26 @@ "value": "Google Cloud Kubernetes IAM" }, { - "description": "Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.", + "description": "Microsoft. (2023, February 8). CreateMutexA function (synchapi.h). Retrieved September 19, 2024.", "meta": { - "date_accessed": "2014-12-05T00:00:00Z", + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2023-02-08T00:00:00Z", "refs": [ - "http://msdn.microsoft.com/en-us/library/ms682425" + "https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa" + ], + "source": "MITRE", + "title": "CreateMutexA function (synchapi.h)" + }, + "related": [], + "uuid": "20939374-30c1-515a-b672-28a030bf0c64", + "value": "Microsoft CreateMutexA" + }, + { + "description": "Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.", + "meta": { + "date_accessed": "2024-09-12T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa" ], "source": "MITRE", "title": "CreateProcess function" @@ -13467,12 +14195,12 @@ "value": "GitHub Creddump7" }, { - "description": "Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 27, 2023.", + "description": "Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2023-09-27T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2023-06-21T00:00:00Z", "refs": [ - "https://twitter.com/MsftSecIntel/status/1671579359994343425" + "https://x.com/MsftSecIntel/status/1671579359994343425" ], "source": "MITRE", "title": "Credential Attacks" @@ -13572,6 +14300,20 @@ "uuid": "54b5d8af-21f0-4d1c-ada8-b87db85dd742", "value": "doppelpaymer_crowdstrike" }, + { + "description": "CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.", + "meta": { + "date_accessed": "2024-05-15T00:00:00Z", + "refs": [ + "https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" + ], + "source": "MITRE", + "title": "Critical Infrastructure" + }, + "related": [], + "uuid": "bfa16dc6-f075-5bd3-9d9d-255df8789298", + "value": "CISA AA24-038A PRC Critical Infrastructure February 2024" + }, { "description": "Team Huntress. (2023, April 21). Critical Vulnerabilities in PaperCut Print Management Software. Retrieved May 8, 2023.", "meta": { @@ -13647,21 +14389,6 @@ "uuid": "51e67e37-2d61-4228-999b-bec6f80cf106", "value": "Bishop Fox Sliver Framework August 2019" }, - { - "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.", - "meta": { - "date_accessed": "2024-03-04T00:00:00Z", - "date_published": "2023-08-31T00:00:00Z", - "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" - ], - "source": "MITRE", - "title": "Cross-Tenant Impersonation: Prevention and Detection" - }, - "related": [], - "uuid": "77dbd22f-ce57-50f7-9c6b-8dc874a4d80d", - "value": "Okta Cross-Tenant Impersonation" - }, { "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.", "meta": { @@ -13677,6 +14404,21 @@ "uuid": "d54188b5-86eb-52a0-8384-823c45431762", "value": "Okta Cross-Tenant Impersonation 2023" }, + { + "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2023-08-31T00:00:00Z", + "refs": [ + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + ], + "source": "MITRE", + "title": "Cross-Tenant Impersonation: Prevention and Detection" + }, + "related": [], + "uuid": "77dbd22f-ce57-50f7-9c6b-8dc874a4d80d", + "value": "Okta Cross-Tenant Impersonation" + }, { "description": "Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.", "meta": { @@ -13838,12 +14580,12 @@ "value": "CrowdStrike Putter Panda" }, { - "description": "Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved October 12, 2016.", + "description": "Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2016-10-12T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2016-09-09T00:00:00Z", "refs": [ - "http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml" + "https://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml" ], "source": "MITRE", "title": "Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives" @@ -13944,6 +14686,21 @@ "uuid": "0cdde66c-a7ae-48a2-8ade-067643de304d", "value": "OWASP CSV Injection" }, + { + "description": "Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2022-09-07T00:00:00Z", + "refs": [ + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis" + ], + "source": "MITRE", + "title": "CUBA Ransomware Campaign Analysis" + }, + "related": [], + "uuid": "79299d27-dbbf-56d0-87fd-15e3f9167cf8", + "value": "Elastic CUBA Ransomware 2022" + }, { "description": "Microsoft. (n.d.). CurrentControlSet\\Services Subkey Entries. Retrieved November 30, 2014.", "meta": { @@ -13958,6 +14715,21 @@ "uuid": "be233077-7bb4-48be-aecf-03258931527d", "value": "Microsoft Subkey" }, + { + "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.", + "meta": { + "date_accessed": "2020-12-30T00:00:00Z", + "date_published": "2020-12-13T00:00:00Z", + "refs": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + ], + "source": "MITRE", + "title": "Customer Guidance on Recent Nation-State Cyber Attacks" + }, + "related": [], + "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc", + "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks" + }, { "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", "meta": { @@ -13974,19 +14746,19 @@ "value": "Microsoft SolarWinds Customer Guidance" }, { - "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.", + "description": "Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs 100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.", "meta": { - "date_accessed": "2020-12-30T00:00:00Z", - "date_published": "2020-12-13T00:00:00Z", + "date_accessed": "2024-07-01T00:00:00Z", + "date_published": "2020-01-16T00:00:00Z", "refs": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + "https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/" ], "source": "MITRE", - "title": "Customer Guidance on Recent Nation-State Cyber Attacks" + "title": "Customer-Owned Bank Informs 100k of Breach Exposing Account Balance, PII" }, "related": [], - "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc", - "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks" + "uuid": "027b281d-79d5-50aa-9ff3-d6f4e647d477", + "value": "Bleeping Computer Bank Hack 2020" }, { "description": "Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022.", @@ -14213,6 +14985,22 @@ "uuid": "84d5f015-9014-417c-b2a9-f650fe19d448", "value": "Crowdstrike Kubernetes Container Escape" }, + { + "description": "Peter Girnus; Aliakbar Zahravi; Simon Zuckerbraun Read time. (2024, March 13). CVE-2024-21412 DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign. Retrieved March 14, 2024.", + "meta": { + "date_accessed": "2024-03-14T00:00:00Z", + "date_published": "2024-03-13T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html" + ], + "source": "Tidal Cyber", + "title": "CVE-2024-21412 DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign" + }, + "related": [], + "uuid": "0574a0a7-694b-4858-b053-8f7911c8ce54", + "value": "Trend Micro March 13 2024" + }, { "description": "Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.", "meta": { @@ -14336,6 +15124,22 @@ "uuid": "deea5b42-bfab-50af-8d85-cc04fd317a82", "value": "FBI-search" }, + { + "description": "Resecurity. (2024, January 3). Cybercriminals Implemented Artificial Intelligence (AI) for Invoice Fraud. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2024-01-03T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.resecurity.com/blog/article/cybercriminals-implemented-artificial-intelligence-ai-for-invoice-fraud" + ], + "source": "Tidal Cyber", + "title": "Cybercriminals Implemented Artificial Intelligence (AI) for Invoice Fraud" + }, + "related": [], + "uuid": "6d55aa2c-3f52-4bff-8003-f78b386a4952", + "value": "Resecurity GXC Team January 3 2024" + }, { "description": "CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.", "meta": { @@ -14489,11 +15293,11 @@ "value": "NSA NCSC Turla OilRig" }, { - "description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved October 20, 2020.", + "description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved September 16, 2024.", "meta": { - "date_accessed": "2020-10-20T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", "refs": [ - "https://www.opm.gov/cybersecurity/cybersecurity-incidents/" + "https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/" ], "source": "MITRE", "title": "CYBERSECURITY INCIDENTS" @@ -14653,6 +15457,36 @@ "uuid": "4e4668bd-9bef-597e-ad41-8afe1974b7f6", "value": "Kubernetes DaemonSet" }, + { + "description": "Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.", + "meta": { + "date_accessed": "2024-07-25T00:00:00Z", + "date_published": "2023-04-20T00:00:00Z", + "refs": [ + "https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot" + ], + "source": "MITRE", + "title": "Daggerfly: APT Actor Targets Telecoms Company in Africa" + }, + "related": [], + "uuid": "cb0a51f5-fe5b-5dd0-8f55-4e7536cb61a4", + "value": "Symantec Daggerfly 2023" + }, + { + "description": "Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.", + "meta": { + "date_accessed": "2024-07-25T00:00:00Z", + "date_published": "2024-07-23T00:00:00Z", + "refs": [ + "https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset" + ], + "source": "MITRE", + "title": "Daggerfly: Espionage Group Makes Major Update to Toolset" + }, + "related": [], + "uuid": "1dadd09e-e7b0-50a1-ba3d-413780dbeb80", + "value": "Symantec Daggerfly 2024" + }, { "description": "Huseyin Can Yuceel. (2022, October 24). Daixin Team Targets Healthcare Organizations with Ransomware Attacks. Retrieved December 1, 2023.", "meta": { @@ -14932,7 +15766,7 @@ "date_accessed": "2022-01-10T00:00:00Z", "date_published": "2021-12-14T00:00:00Z", "refs": [ - "https://www.prevailion.com/darkwatchman-new-fileless-techniques/" + "https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" ], "source": "MITRE", "title": "DarkWatchman: A new evolution in fileless techniques" @@ -14973,6 +15807,21 @@ "uuid": "a9aa6361-8c4d-4456-bb3f-c64ca5260695", "value": "SOCRadar Cyber Toufan Profile" }, + { + "description": "SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "date_published": "2024-01-24T00:00:00Z", + "refs": [ + "https://socradar.io/dark-web-profile-inc-ransom/" + ], + "source": "MITRE", + "title": "Dark Web Profile: INC Ransom" + }, + "related": [], + "uuid": "6c78b422-7d46-58a4-a403-421db0531147", + "value": "SOCRadar INC Ransom January 2024" + }, { "description": "Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.", "meta": { @@ -14988,6 +15837,20 @@ "uuid": "15ef155b-7628-4b18-bc53-1d30be4eac5d", "value": "Moran 2014" }, + { + "description": "AWS. (n.d.). Data perimeters on AWS. Retrieved October 16, 2024.", + "meta": { + "date_accessed": "2024-10-16T00:00:00Z", + "refs": [ + "https://aws.amazon.com/identity/data-perimeters-on-aws/" + ], + "source": "MITRE", + "title": "Data perimeters on AWS" + }, + "related": [], + "uuid": "de628ad0-9608-5af0-8c93-21a1d5cd4998", + "value": "AWS Data Perimeters" + }, { "description": "LOLBAS. (2020, December 1). DataSvcUtil.exe. Retrieved December 4, 2023.", "meta": { @@ -15473,12 +16336,27 @@ "value": "piazza launch agent mitigation" }, { - "description": "vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018.", + "description": "Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection – NTFS Forensics. Retrieved September 30, 2024.", "meta": { - "date_accessed": "2018-01-22T00:00:00Z", + "date_accessed": "2024-09-30T00:00:00Z", + "date_published": "2022-04-28T00:00:00Z", + "refs": [ + "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html" + ], + "source": "MITRE", + "title": "Defence Evasion Technique: Timestomping Detection – NTFS Forensics" + }, + "related": [], + "uuid": "48bc7943-0384-5b6e-a0c5-854b6a08203f", + "value": "Inversecos Timestomping 2022" + }, + { + "description": "vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved September 12, 2024.", + "meta": { + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-08-11T00:00:00Z", "refs": [ - "https://twitter.com/vector_sec/status/896049052642533376" + "https://x.com/vector_sec/status/896049052642533376" ], "source": "MITRE", "title": "Defenders watching launches of cmd? What about forfiles?" @@ -16056,6 +16934,21 @@ "uuid": "c1cd4767-b5a1-4821-8574-b5782a83920f", "value": "ADDSecurity DCShadow Feb 2018" }, + { + "description": "Lacework Labs. (2024, June 6). Detecting AI resource-hijacking with Composite Alerts. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2024-06-06T00:00:00Z", + "refs": [ + "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + ], + "source": "MITRE", + "title": "Detecting AI resource-hijacking with Composite Alerts" + }, + "related": [], + "uuid": "4742569e-80ed-5d70-948b-9457d9371ca8", + "value": "Lacework LLMJacking 2024" + }, { "description": "Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019.", "meta": { @@ -16143,6 +17036,21 @@ "uuid": "63955204-3cf9-4628-88d2-361de4dae94f", "value": "Medium Detecting Attempts to Steal Passwords from Memory" }, + { + "description": "Fernando Merces. (2023, July 13). Detecting BPFDoor Backdoor Variants Abusing BPF Filters. Retrieved September 23, 2024.", + "meta": { + "date_accessed": "2024-09-23T00:00:00Z", + "date_published": "2023-07-13T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html" + ], + "source": "MITRE", + "title": "Detecting BPFDoor Backdoor Variants Abusing BPF Filters" + }, + "related": [], + "uuid": "bf4f5736-0506-5ecf-a73e-86ab18c2b71b", + "value": "Merces BPFDOOR 2023" + }, { "description": "Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018.", "meta": { @@ -16443,6 +17351,22 @@ "uuid": "5e5452a4-c3f5-4802-bcb4-198612cc8282", "value": "FireEye Exchange Zero Days March 2021" }, + { + "description": "Microsoft Threat Intelligence. (2022, December 6). DEV-0139 launches targeted attacks against the cryptocurrency industry. Retrieved September 30, 2024.", + "meta": { + "date_accessed": "2024-09-30T00:00:00Z", + "date_published": "2022-12-06T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/" + ], + "source": "Tidal Cyber", + "title": "DEV-0139 launches targeted attacks against the cryptocurrency industry" + }, + "related": [], + "uuid": "f9c070f1-aa83-45a3-bffb-c90f4caf5926", + "value": "Microsoft DEV-0139 December 6 2022" + }, { "description": "Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.", "meta": { @@ -16614,6 +17538,20 @@ "uuid": "30503e42-6047-46a9-8189-e6caa5f4deb0", "value": "Dfshim.dll - LOLBAS Project" }, + { + "description": "LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/" + ], + "source": "MITRE", + "title": "/Dfsvc.exe" + }, + "related": [], + "uuid": "caef4593-a7ac-57f7-9e06-b6ace2c9623d", + "value": "LOLBAS /Dfsvc.exe" + }, { "description": "LOLBAS. (2018, May 25). Dfsvc.exe. Retrieved December 4, 2023.", "meta": { @@ -16911,12 +17849,12 @@ "value": "ITSyndicate Disabling PHP functions" }, { - "description": "TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved October 19, 2022.", + "description": "TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2022-10-19T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2022-03-01T00:00:00Z", "refs": [ - "https://twitter.com/TheDFIRReport/status/1498657590259109894" + "https://x.com/TheDFIRReport/status/1498657590259109894" ], "source": "MITRE", "title": "Disabling notifications on Synology servers before ransom" @@ -16972,12 +17910,12 @@ "value": "Diskshadow.exe - LOLBAS Project" }, { - "description": "OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved March 11, 2024.", + "description": "OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2024-03-11T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2024-02-14T00:00:00Z", "refs": [ - "https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors" + "https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/" ], "source": "MITRE", "title": "Disrupting malicious uses of AI by state-affiliated threat actors" @@ -16986,6 +17924,21 @@ "uuid": "d8f576cb-0afc-54a7-a449-570c4311ef7a", "value": "OpenAI-CTI" }, + { + "description": "Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM’s ongoing phishing operations. Retrieved June 13, 2024.", + "meta": { + "date_accessed": "2024-06-13T00:00:00Z", + "date_published": "2022-08-15T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" + ], + "source": "MITRE", + "title": "Disrupting SEABORGIUM’s ongoing phishing operations" + }, + "related": [], + "uuid": "d5fc25ad-2337-55f5-9eac-050178a533d6", + "value": "Microsoft Star Blizzard August 2022" + }, { "description": "Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.", "meta": { @@ -17046,6 +17999,21 @@ "uuid": "b1271e05-80d7-4761-a13f-b6f0db7d7e5a", "value": "FireEye POSHSPY April 2017" }, + { + "description": "Flare. (2023, June 6). Dissecting the Dark Web Supply Chain: Stealer Logs in Context. Retrieved October 10, 2024.", + "meta": { + "date_accessed": "2024-10-10T00:00:00Z", + "date_published": "2023-06-06T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/" + ], + "source": "MITRE", + "title": "Dissecting the Dark Web Supply Chain: Stealer Logs in Context" + }, + "related": [], + "uuid": "3bcbc294-91f1-56af-9eb9-9ce556c09602", + "value": "Bleeping Computer Stealer Logs 2023" + }, { "description": "Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.", "meta": { @@ -17061,6 +18029,22 @@ "uuid": "d2a1aab3-a4c9-4583-9cf8-170eeb77d828", "value": "Microsoft DTC" }, + { + "description": "Austin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, Michael Raggi. (2023, August 29). Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation. Retrieved October 24, 2024.", + "meta": { + "date_accessed": "2024-10-24T00:00:00Z", + "date_published": "2023-08-29T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation" + ], + "source": "Tidal Cyber", + "title": "Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation" + }, + "related": [], + "uuid": "f990745d-06c1-4b0a-8394-66c7a3cf0818", + "value": "Mandiant UNC4841 August 29 2023" + }, { "description": "Mandiant. (2010, August 31). DLL Search Order Hijacking Revisited. Retrieved December 5, 2014.", "meta": { @@ -17167,6 +18151,21 @@ "uuid": "d597ad7d-f808-4289-b42a-79807248c2d6", "value": "Talos DNSpionage Nov 2018" }, + { + "description": "Microsoft. (2022). DNS Policies Overview. Retrieved June 6, 2024.", + "meta": { + "date_accessed": "2024-06-06T00:00:00Z", + "date_published": "2022-01-01T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview" + ], + "source": "MITRE", + "title": "DNS Policies Overview" + }, + "related": [], + "uuid": "bb420420-d03c-53b9-8bd9-e4357df8930a", + "value": "DNS-msft" + }, { "description": "Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can be (ab)used by malicious actors. Retrieved October 3, 2020.", "meta": { @@ -17182,6 +18181,21 @@ "uuid": "e41fde80-5ced-4f66-9852-392d1ef79520", "value": "Unit42 DNS Mar 2019" }, + { + "description": "CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May Leak Domain Information. Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "date_published": "2016-09-29T00:00:00Z", + "refs": [ + "https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information" + ], + "source": "MITRE", + "title": "DNS Zone Transfer AXFR Requests May Leak Domain Information" + }, + "related": [], + "uuid": "bc24500a-500c-5e08-90ec-6fbb39b0b74c", + "value": "DNS-CISA" + }, { "description": "LOLBAS. (2018, May 25). dnx.exe. Retrieved December 4, 2023.", "meta": { @@ -17414,9 +18428,9 @@ "value": "ASERT Donot March 2018" }, { - "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved February 13, 2024.", + "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", "meta": { - "date_accessed": "2024-02-13T00:00:00Z", + "date_accessed": "2024-01-17T00:00:00Z", "date_published": "2023-05-22T00:00:00Z", "refs": [ "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" @@ -17425,8 +18439,8 @@ "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" }, "related": [], - "uuid": "75b860d9-a48d-57de-ba1e-b0db970abb1b", - "value": "Schema-abuse" + "uuid": "d5ed4c98-6d37-5000-bba0-9aada295a50c", + "value": "mandiant-masking" }, { "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", @@ -17444,9 +18458,9 @@ "value": "Mandiant URL Obfuscation 2023" }, { - "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", + "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved February 13, 2024.", "meta": { - "date_accessed": "2024-01-17T00:00:00Z", + "date_accessed": "2024-02-13T00:00:00Z", "date_published": "2023-05-22T00:00:00Z", "refs": [ "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" @@ -17455,8 +18469,8 @@ "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" }, "related": [], - "uuid": "d5ed4c98-6d37-5000-bba0-9aada295a50c", - "value": "mandiant-masking" + "uuid": "75b860d9-a48d-57de-ba1e-b0db970abb1b", + "value": "Schema-abuse" }, { "description": "TheWover. (2019, May 9). donut. Retrieved March 25, 2022.", @@ -17654,21 +18668,6 @@ "uuid": "9514c5cd-2ed6-4dbf-aa9e-1c425e969226", "value": "Symantec Dragonfly" }, - { - "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", - "meta": { - "date_accessed": "2017-09-09T00:00:00Z", - "date_published": "2014-07-07T00:00:00Z", - "refs": [ - "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" - ], - "source": "MITRE", - "title": "Dragonfly: Western energy sector targeted by sophisticated attack group" - }, - "related": [], - "uuid": "11bbeafc-ed5d-4d2b-9795-a0a9544fb64e", - "value": "Symantec Dragonfly Sept 2017" - }, { "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", "meta": { @@ -17684,6 +18683,21 @@ "uuid": "a0439d4a-a3ea-4be5-9a01-f223ca259681", "value": "Symantec Dragonfly 2.0 October 2017" }, + { + "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "meta": { + "date_accessed": "2017-09-09T00:00:00Z", + "date_published": "2014-07-07T00:00:00Z", + "refs": [ + "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" + ], + "source": "MITRE", + "title": "Dragonfly: Western energy sector targeted by sophisticated attack group" + }, + "related": [], + "uuid": "11bbeafc-ed5d-4d2b-9795-a0a9544fb64e", + "value": "Symantec Dragonfly Sept 2017" + }, { "description": "Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.", "meta": { @@ -18166,14 +19180,14 @@ "meta": { "date_accessed": "2016-07-25T00:00:00Z", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?redirectedfrom=MSDN" + "https://msdn.microsoft.com/en-us/library/ff919712.aspx" ], "source": "MITRE", "title": "Dynamic-Link Library Security" }, "related": [], - "uuid": "e087442a-0a53-4cc8-9fd6-772cbd0295d5", - "value": "Microsoft Dynamic-Link Library Security" + "uuid": "5d1d1916-cef4-49d1-b8e2-a6d18fb297f6", + "value": "MSDN DLL Security" }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.", @@ -18194,14 +19208,14 @@ "meta": { "date_accessed": "2016-07-25T00:00:00Z", "refs": [ - "https://msdn.microsoft.com/en-us/library/ff919712.aspx" + "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?redirectedfrom=MSDN" ], "source": "MITRE", "title": "Dynamic-Link Library Security" }, "related": [], - "uuid": "5d1d1916-cef4-49d1-b8e2-a6d18fb297f6", - "value": "MSDN DLL Security" + "uuid": "e087442a-0a53-4cc8-9fd6-772cbd0295d5", + "value": "Microsoft Dynamic-Link Library Security" }, { "description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.", @@ -18295,6 +19309,21 @@ "uuid": "88170ef5-03ac-42f2-9b03-2ce204b5d45c", "value": "Earthworm English Project Page" }, + { + "description": "Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.", + "meta": { + "date_accessed": "2024-05-21T00:00:00Z", + "date_published": "2024-05-01T00:00:00Z", + "refs": [ + "https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf" + ], + "source": "MITRE", + "title": "Ebury is alive but unseen" + }, + "related": [], + "uuid": "7df9b7ed-ecac-5432-9fc2-8961fc315415", + "value": "ESET Ebury May 2024" + }, { "description": "U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August 27, 2021.", "meta": { @@ -18698,6 +19727,22 @@ "uuid": "580ce22f-b76b-4a92-9fab-26ce8f449ab6", "value": "Emissary Trojan Feb 2016" }, + { + "description": "orangecyberdefense.com. (2024, August 14). Emmenhtal a little-known loader distributing commodity infostealers worldwide. Retrieved August 25, 2024.", + "meta": { + "date_accessed": "2024-08-25T00:00:00Z", + "date_published": "2024-08-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide" + ], + "source": "Tidal Cyber", + "title": "Emmenhtal a little-known loader distributing commodity infostealers worldwide" + }, + "related": [], + "uuid": "138a6cd4-36f9-41fd-a724-2b600dc6bf85", + "value": "orangecyberdefense.com August 14 2024" + }, { "description": "Brandt, A.. (2019, May 5). Emotet 101, stage 4: command and control. Retrieved April 16, 2019.", "meta": { @@ -18773,6 +19818,21 @@ "uuid": "e954c9aa-4995-452c-927e-11d0a6e2f442", "value": "ESET Emotet Nov 2018" }, + { + "description": "Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024.", + "meta": { + "date_accessed": "2024-06-19T00:00:00Z", + "date_published": "2023-11-16T00:00:00Z", + "refs": [ + "https://www.hhs.gov/sites/default/files/emotet-the-enduring-and-persistent-threat-to-the-hph-tlpclear.pdf" + ], + "source": "MITRE", + "title": "Emotet Malware: The Enduring and Persistent Threat to the Health Sector" + }, + "related": [], + "uuid": "36b41ab3-2a3d-5f5f-86ad-bc4cf810b4ba", + "value": "emotet_hc3_nov2023" + }, { "description": "Cybercrime & Digital Threat Team. (2020, February 13). Emotet Now Spreads via Wi-Fi. Retrieved February 16, 2022.", "meta": { @@ -18819,6 +19879,21 @@ "uuid": "6d39aba3-ae77-4a95-8242-7dacae8c89d8", "value": "Cybersécurité - INTRINSEC January 09 2023" }, + { + "description": "Kenefick, I. (2023, March 13). Emotet Returns, Now Adopts Binary Padding for Evasion. Retrieved June 19, 2024.", + "meta": { + "date_accessed": "2024-06-19T00:00:00Z", + "date_published": "2023-03-13T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html" + ], + "source": "MITRE", + "title": "Emotet Returns, Now Adopts Binary Padding for Evasion" + }, + "related": [], + "uuid": "6f9050d9-e960-50dd-86a9-aee5fd100d9c", + "value": "emotet_trendmicro_mar2023" + }, { "description": "The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.", "meta": { @@ -18995,6 +20070,21 @@ "uuid": "a729519d-8c9f-477c-b992-434076a9d294", "value": "PCMag DoubleExtension" }, + { + "description": "Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor authentication with legacy applications using app passwords. Retrieved May 28, 2024.", + "meta": { + "date_accessed": "2024-05-28T00:00:00Z", + "date_published": "2023-10-23T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords" + ], + "source": "MITRE", + "title": "Enforce Microsoft Entra multifactor authentication with legacy applications using app passwords" + }, + "related": [], + "uuid": "7787289d-f636-5a26-b182-cd1015879007", + "value": "Microsoft Entra ID App Passwords" + }, { "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.", "meta": { @@ -19084,21 +20174,6 @@ "uuid": "ad3eda19-08eb-4d59-a2c9-3b5ed8302205", "value": "Google Ensuring Your Information is Safe" }, - { - "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.", - "meta": { - "date_accessed": "2024-02-09T00:00:00Z", - "date_published": "2018-11-13T00:00:00Z", - "refs": [ - "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" - ], - "source": "MITRE", - "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign" - }, - "related": [], - "uuid": "31796564-4154-54c0-958a-7d6802dfefad", - "value": "Ensilo Darkgate 2018" - }, { "description": "Fortinet Blog. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved October 20, 2023.", "meta": { @@ -19115,6 +20190,21 @@ "uuid": "1b9b5c48-d504-4c73-aedc-37e935c47f17", "value": "Fortinet Blog November 13 2018" }, + { + "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2018-11-13T00:00:00Z", + "refs": [ + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" + ], + "source": "MITRE", + "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign" + }, + "related": [], + "uuid": "31796564-4154-54c0-958a-7d6802dfefad", + "value": "Ensilo Darkgate 2018" + }, { "description": "Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.", "meta": { @@ -19177,11 +20267,11 @@ "value": "EK Clueless Agents" }, { - "description": "Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved May 18, 2021.", + "description": "Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.", "meta": { - "date_accessed": "2021-05-18T00:00:00Z", + "date_accessed": "2024-09-13T00:00:00Z", "refs": [ - "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc" + "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit" ], "source": "MITRE", "title": "Environment Awareness" @@ -19190,20 +20280,6 @@ "uuid": "af842a1f-8f39-4b4f-b4d2-0bbb810e6c31", "value": "Deloitte Environment Awareness" }, - { - "description": "Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016.", - "meta": { - "date_accessed": "2016-07-27T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx" - ], - "source": "MITRE", - "title": "Environment Property" - }, - "related": [], - "uuid": "79ea888c-2dd7-40cb-9149-e2469a35ea3a", - "value": "MSDN Environment Property" - }, { "description": "Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.", "meta": { @@ -19219,6 +20295,20 @@ "uuid": "64598969-864d-4bc7-805e-c289cccb7bc6", "value": "Microsoft Environment Property" }, + { + "description": "Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016.", + "meta": { + "date_accessed": "2016-07-27T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx" + ], + "source": "MITRE", + "title": "Environment Property" + }, + "related": [], + "uuid": "79ea888c-2dd7-40cb-9149-e2469a35ea3a", + "value": "MSDN Environment Property" + }, { "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.", "meta": { @@ -19309,12 +20399,12 @@ "value": "ESET APT Activity Report Q4 2023-Q1 2024" }, { - "description": "Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.", + "description": "Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2022-03-02T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2019-11-10T00:00:00Z", "refs": [ - "https://twitter.com/ESETresearch/status/1458438155149922312" + "https://x.com/ESETresearch/status/1458438155149922312" ], "source": "MITRE", "title": "ESETresearch discovered a trojanized IDA Pro installer" @@ -19324,12 +20414,12 @@ "value": "ESET Twitter Ida Pro Nov 2021" }, { - "description": "ESET Research. (2020, October 1). ESET Research Tweet Linking Slothfulmedia and PowerPool. Retrieved November 17, 2020.", + "description": "ESET Research. (2020, October 1). ESET Research Tweet Linking Slothfulmedia and PowerPool. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2020-11-17T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2020-10-01T00:00:00Z", "refs": [ - "https://twitter.com/ESETresearch/status/1311762215490461696" + "https://x.com/ESETresearch/status/1311762215490461696" ], "source": "MITRE", "title": "ESET Research Tweet Linking Slothfulmedia and PowerPool" @@ -19459,6 +20549,36 @@ "uuid": "471ae30c-2753-468e-8e4d-6e7a3be599c9", "value": "Anomali Evasive Maneuvers July 2015" }, + { + "description": "Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.", + "meta": { + "date_accessed": "2024-07-25T00:00:00Z", + "date_published": "2023-04-26T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" + ], + "source": "MITRE", + "title": "Evasive Panda APT group delivers malware via updates for popular Chinese software" + }, + "related": [], + "uuid": "08026c7e-cc35-5d51-9536-a02febd1a891", + "value": "ESET EvasivePanda 2023" + }, + { + "description": "Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.", + "meta": { + "date_accessed": "2024-07-25T00:00:00Z", + "date_published": "2024-03-07T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/" + ], + "source": "MITRE", + "title": "Evasive Panda leverages Monlam Festival to target Tibetans" + }, + "related": [], + "uuid": "07e6b866-7119-50ad-8a6e-80c4e0d594bf", + "value": "ESET EvasivePanda 2024" + }, { "description": "Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.", "meta": { @@ -19578,6 +20698,22 @@ "uuid": "abeb1146-e5e5-5ecc-9b70-b348fba097f6", "value": "Avertium callback phishing" }, + { + "description": "Alberto Marín. (2023, April 5). Everything you need to know about the LummaC2 stealer Leveraging IDA Python and Unicorn to deobfuscate Windows API hashing. Retrieved October 10, 2024.", + "meta": { + "date_accessed": "2024-10-10T00:00:00Z", + "date_published": "2023-04-05T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer/" + ], + "source": "Tidal Cyber", + "title": "Everything you need to know about the LummaC2 stealer Leveraging IDA Python and Unicorn to deobfuscate Windows API hashing" + }, + "related": [], + "uuid": "60bd2e39-744c-44e7-b417-0ef0a768f7b6", + "value": "Outpost24 April 5 2023" + }, { "description": "Rosenberg, J. (2017, September 20). Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner. Retrieved February 13, 2018.", "meta": { @@ -19608,6 +20744,21 @@ "uuid": "a0218d0f-3378-4508-9d3c-a7cd3e00a156", "value": "Cyphort EvilBunny Dec 2014" }, + { + "description": "Marschalek, Marion. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2014-12-16T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/" + ], + "source": "MITRE", + "title": "EvilBunny: Malware Instrumented By Lua" + }, + "related": [], + "uuid": "21536444-7287-55f7-8e11-c97dcb85398d", + "value": "Cyphort EvilBunny" + }, { "description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.", "meta": { @@ -19685,6 +20836,20 @@ "uuid": "4dc26c77-d0ce-4836-a4cc-0490b6d7f115", "value": "SentinelOne EvilQuest Ransomware Spyware 2020" }, + { + "description": "AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent them. Retrieved September 17, 2024.", + "meta": { + "date_accessed": "2024-09-17T00:00:00Z", + "refs": [ + "https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks" + ], + "source": "MITRE", + "title": "Evil twin attacks and how to prevent them" + }, + "related": [], + "uuid": "230f15c3-79dd-5272-88b5-e9d5de9556f1", + "value": "Kaspersky evil twin" + }, { "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", "meta": { @@ -20061,6 +21226,36 @@ "uuid": "689b058e-a4ec-45bf-b0f8-8885eb8d8b63", "value": "LOLBAS Expand" }, + { + "description": "Shellseekercyber. (2024, January 7). Explainer: Packed Malware. Retrieved September 27, 2024.", + "meta": { + "date_accessed": "2024-09-27T00:00:00Z", + "date_published": "2024-01-07T00:00:00Z", + "refs": [ + "https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035" + ], + "source": "MITRE", + "title": "Explainer: Packed Malware" + }, + "related": [], + "uuid": "f7ffa0ee-80d4-5ed8-a432-23a33cbf2752", + "value": "polymorphic-medium" + }, + { + "description": "Michael Raggi & The Proofpoint Threat Research Team. (2023, March 30). Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe. Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2023-03-30T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability" + ], + "source": "MITRE", + "title": "Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe" + }, + "related": [], + "uuid": "45f638af-ad10-566e-9e4d-49385a79022f", + "value": "Proofpoint WinterVivern 2023" + }, { "description": "James Nugent, Foti Castelan, Doug Bienstock, Justin Moore, Josh Murchie. (2023, July 21). Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519). Retrieved July 24, 2023.", "meta": { @@ -20197,12 +21392,12 @@ "value": "Trend Micro Emotet Jan 2019" }, { - "description": "Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020.", + "description": "Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2020-10-20T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2019-03-05T00:00:00Z", "refs": [ - "https://securitytrails.com/blog/google-hacking-techniques" + "https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks" ], "source": "MITRE", "title": "Exploring Google Hacking Techniques" @@ -20226,6 +21421,36 @@ "uuid": "6502425f-3435-4162-8c96-9e10a789d362", "value": "Medium SSL Cert" }, + { + "description": "David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2020-04-21T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html" + ], + "source": "MITRE", + "title": "Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining" + }, + "related": [], + "uuid": "58e61406-a8ca-52a8-be48-ef6066619a8a", + "value": "TrendMicro Exposed Redis 2020" + }, + { + "description": "Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2020-08-24T00:00:00Z", + "refs": [ + "https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/" + ], + "source": "MITRE", + "title": "Expose Evidence of Timestomping with the NTFS Timestamp Mismatch Artifact" + }, + "related": [], + "uuid": "3971c8ac-4fdd-5e19-ac8a-b8d7abbaebe3", + "value": "Magnet Forensics" + }, { "description": "Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.", "meta": { @@ -20257,12 +21482,12 @@ "value": "Microsoft POLONIUM June 2022" }, { - "description": "Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved July 3, 2017.", + "description": "Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2017-07-03T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2016-05-14T00:00:00Z", "refs": [ - "http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way" + "https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418" ], "source": "MITRE", "title": "External to DA, the OS X Way" @@ -20501,6 +21726,22 @@ "uuid": "5c662775-9703-4d01-844b-40a0e5c24fb9", "value": "CitizenLab Tropic Trooper Aug 2018" }, + { + "description": "Tahseen Bin Taj, Matthieu Faou. (2021, September 23). FamousSparrow: A suspicious hotel guest. Retrieved October 24, 2024.", + "meta": { + "date_accessed": "2024-10-24T00:00:00Z", + "date_published": "2021-09-23T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/" + ], + "source": "Tidal Cyber", + "title": "FamousSparrow: A suspicious hotel guest" + }, + "related": [], + "uuid": "f91d6d8e-22a4-4851-9444-7a066e6b7aa5", + "value": "ESET FamousSparrow September 23 2021" + }, { "description": "DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.", "meta": { @@ -20607,6 +21848,21 @@ "uuid": "d753c01c-c0f6-4382-ae79-5605a28c94d5", "value": "FBI Lazarus Stake.com Theft Attribution September 2023" }, + { + "description": "Tung, Liam. (2018, May 29). FBI to all router users: Reboot now to neuter Russia's VPNFilter malware. Retrieved March 7, 2024.", + "meta": { + "date_accessed": "2024-03-07T00:00:00Z", + "date_published": "2018-05-29T00:00:00Z", + "refs": [ + "https://www.zdnet.com/article/fbi-to-all-router-users-reboot-now-to-neuter-russias-vpnfilter-malware/" + ], + "source": "MITRE", + "title": "FBI to all router users: Reboot now to neuter Russia's VPNFilter malware" + }, + "related": [], + "uuid": "191bc704-3314-56c5-8f2d-dbbbb8afea2f", + "value": "VPNFilter Router" + }, { "description": "Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.", "meta": { @@ -20711,6 +21967,21 @@ "uuid": "a8420828-9e00-45a1-90d7-a37f898204f9", "value": "Airbus Security Kovter Analysis" }, + { + "description": "Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "date_published": "2022-05-03T00:00:00Z", + "refs": [ + "https://sysdig.com/blog/containers-read-only-fileless-malware/" + ], + "source": "MITRE", + "title": "Fileless malware mitigation" + }, + "related": [], + "uuid": "d728b343-3256-55ff-9491-f66b98c16226", + "value": "Sysdig Fileless Malware 23022" + }, { "description": "Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.", "meta": { @@ -20772,11 +22043,11 @@ "value": "Microsoft File Mgmt" }, { - "description": "Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.", + "description": "Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2014-12-02T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "refs": [ - "http://msdn.microsoft.com/en-us/library/aa364404" + "https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams" ], "source": "MITRE", "title": "File Streams" @@ -20982,6 +22253,21 @@ "uuid": "6ee27fdb-1753-4fdf-af72-3295b072ff10", "value": "FireEye FIN7 April 2017" }, + { + "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", + "meta": { + "date_accessed": "2022-04-05T00:00:00Z", + "date_published": "2022-04-04T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/evolution-of-fin7" + ], + "source": "MITRE", + "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" + }, + "related": [], + "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", + "value": "Mandiant FIN7 Apr 2022" + }, { "description": "Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved May 25, 2023.", "meta": { @@ -20998,21 +22284,6 @@ "uuid": "fbc3ea90-d3d4-440e-964d-6cd2e991df0c", "value": "Mandiant FIN7 April 4 2022" }, - { - "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", - "meta": { - "date_accessed": "2022-04-05T00:00:00Z", - "date_published": "2022-04-04T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/evolution-of-fin7" - ], - "source": "MITRE", - "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" - }, - "related": [], - "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", - "value": "Mandiant FIN7 Apr 2022" - }, { "description": "Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.", "meta": { @@ -21287,11 +22558,11 @@ "value": "Findstr.exe - LOLBAS Project" }, { - "description": "FinFisher. (n.d.). Retrieved December 20, 2017.", + "description": "FinFisher. (n.d.). Retrieved September 12, 2024.", "meta": { - "date_accessed": "2017-12-20T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "refs": [ - "http://www.finfisher.com/FinFisher/index.html" + "https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" ], "source": "MITRE", "title": "FinFisher Citation" @@ -21844,21 +23115,6 @@ "uuid": "02233ce3-abb2-4aed-95b8-56b65c68a665", "value": "Quick Heal Blog February 17 2023" }, - { - "description": "Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.", - "meta": { - "date_accessed": "2023-03-22T00:00:00Z", - "date_published": "2023-03-16T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" - ], - "source": "MITRE", - "title": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" - }, - "related": [], - "uuid": "7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7", - "value": "Mandiant Fortinet Zero Day" - }, { "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.", "meta": { @@ -21874,6 +23130,21 @@ "uuid": "a43dd8ce-23d6-5768-8522-6973dc45e1ac", "value": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" }, + { + "description": "Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.", + "meta": { + "date_accessed": "2023-03-22T00:00:00Z", + "date_published": "2023-03-16T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" + ], + "source": "MITRE", + "title": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" + }, + "related": [], + "uuid": "7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7", + "value": "Mandiant Fortinet Zero Day" + }, { "description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020.", "meta": { @@ -21934,12 +23205,12 @@ "value": "ClearkSky Fox Kitten February 2020" }, { - "description": "FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019.", + "description": "FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved September 23, 2024.", "meta": { - "date_accessed": "2019-04-18T00:00:00Z", + "date_accessed": "2024-09-23T00:00:00Z", "date_published": "2012-09-17T00:00:00Z", "refs": [ - "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf" + "https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf" ], "source": "MITRE", "title": "Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud" @@ -21963,6 +23234,21 @@ "uuid": "531206c7-11ec-46bf-a35c-0464244a58c9", "value": "MalwareBytes Ngrok February 2020" }, + { + "description": "Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "date_published": "2024-02-01T00:00:00Z", + "refs": [ + "https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell" + ], + "source": "MITRE", + "title": "Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal" + }, + "related": [], + "uuid": "c67a2ccb-7abf-5409-a216-503e661a6b1c", + "value": "Akami Frog4Shell 2024" + }, { "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.", "meta": { @@ -22024,6 +23310,21 @@ "uuid": "a65d7492-04a4-46d4-85ed-134786c6828b", "value": "Proofpoint June 17 2024" }, + { + "description": "Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17). From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2, 2024.", + "meta": { + "date_accessed": "2024-08-02T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" + ], + "source": "MITRE", + "title": "From Clipboard to Compromise: A PowerShell Self-Pwn" + }, + "related": [], + "uuid": "8f00ffc0-7094-5fd9-8ed4-9c129fd93c05", + "value": "proofpoint-selfpwn" + }, { "description": "Samantha Stallings, Brad Duncan. (2023, December 29). From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence. Retrieved January 11, 2024.", "meta": { @@ -22100,6 +23401,36 @@ "uuid": "e2637cb3-c449-4609-af7b-ac78a900cc8b", "value": "Kaspersky StoneDrill 2017" }, + { + "description": "Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.", + "meta": { + "date_accessed": "2024-05-03T00:00:00Z", + "date_published": "2024-04-16T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering" + ], + "source": "MITRE", + "title": "From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering" + }, + "related": [], + "uuid": "620f5ff7-26c0-55c4-9b1b-c56ad2e1316b", + "value": "Proofpoint TA427 April 2024" + }, + { + "description": "Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.", + "meta": { + "date_accessed": "2024-05-21T00:00:00Z", + "date_published": "2021-05-01T00:00:00Z", + "refs": [ + "https://assets.sentinelone.com/sentinellabs/evol-agrius" + ], + "source": "MITRE", + "title": "From Wiper to Ransomware: The Evolution of Agrius" + }, + "related": [], + "uuid": "b5b433a1-5d12-5644-894b-c42d995c9ba5", + "value": "SentinelOne Agrius 2021" + }, { "description": "LOLBAS. (2021, September 26). FsiAnyCpu.exe. Retrieved December 4, 2023.", "meta": { @@ -22755,6 +24086,21 @@ "uuid": "128b4e3f-bb58-45e0-b8d9-bff9fc3ec3df", "value": "Wardle Dylib Hijack Vulnerable Apps" }, + { + "description": "Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2024-06-25T00:00:00Z", + "refs": [ + "https://www.lua.org/start.html" + ], + "source": "MITRE", + "title": "Getting started" + }, + "related": [], + "uuid": "6d9298d3-ad9f-5b19-949c-84bef49f5f6c", + "value": "Lua main page" + }, { "description": "Microsoft. (2022, November 3). Getting started with App-V for Windows client. Retrieved February 6, 2024.", "meta": { @@ -22859,6 +24205,22 @@ "uuid": "5d97b7d7-428e-4408-a4d3-00f52cf4bf15", "value": "GfxDownloadWrapper.exe - LOLBAS Project" }, + { + "description": "Mark Lechtik. (2021, September 30). GhostEmperor From ProxyLogon to kernel mode. Retrieved October 24, 2024.", + "meta": { + "date_accessed": "2024-10-24T00:00:00Z", + "date_published": "2021-09-30T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" + ], + "source": "Tidal Cyber", + "title": "GhostEmperor From ProxyLogon to kernel mode" + }, + "related": [], + "uuid": "8851f554-05c6-4fb0-807e-2ef0bc28e131", + "value": "Kaspersky September 30 2021" + }, { "description": "Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.", "meta": { @@ -22919,6 +24281,21 @@ "uuid": "4a60fb46-06b7-44ea-a9f6-8d6fa81e9363", "value": "GitHub Chisel" }, + { + "description": "cybershujin. (n.d.). GitHub cybershujin Threat-Actors-use-of-Artifical-Intelligence. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/cybershujin/Threat-Actors-use-of-Artifical-Intelligence" + ], + "source": "Tidal Cyber", + "title": "GitHub cybershujin Threat-Actors-use-of-Artifical-Intelligence" + }, + "related": [], + "uuid": "b595af7e-ff84-49fa-8e07-cd2abe9e1d65", + "value": "GitHub cybershujin Threat-Actors-use-of-Artifical-Intelligence" + }, { "description": "Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.", "meta": { @@ -23496,6 +24873,21 @@ "uuid": "5031e82e-66e8-4ae0-be47-53daa87ddf94", "value": "Trustwave GoldenSpy2 June 2020" }, + { + "description": "Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "date_published": "2024-04-15T00:00:00Z", + "refs": [ + "https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware" + ], + "source": "MITRE", + "title": "GOLD IONIC DEPLOYS INC RANSOMWARE" + }, + "related": [], + "uuid": "e723e7b3-496f-5ab4-abaf-83859e7e912d", + "value": "Secureworks GOLD IONIC April 2024" + }, { "description": "Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021.", "meta": { @@ -23667,6 +25059,20 @@ "uuid": "5104f0ea-1fb6-4260-a9b6-95922b3a8e5b", "value": "Google Workspace Global Access List" }, + { + "description": "L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script analysis. Retrieved October 2, 2024.", + "meta": { + "date_accessed": "2024-10-02T00:00:00Z", + "refs": [ + "https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis" + ], + "source": "MITRE", + "title": "Google Workspace Malicious App Script analysis" + }, + "related": [], + "uuid": "1f837b2d-6b45-57ed-8d34-a78ce88cb998", + "value": "OWN-CERT Google App Script 2024" + }, { "description": "Trend Micro. (2023, January 9). Gootkit Loader Actively Targets Australian Healthcare Industry. Retrieved May 7, 2023.", "meta": { @@ -23698,6 +25104,21 @@ "uuid": "63357292-0f08-4405-a45a-34b606ab7110", "value": "Sophos Gootloader" }, + { + "description": "Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.", + "meta": { + "date_accessed": "2024-05-28T00:00:00Z", + "date_published": "2021-06-16T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/" + ], + "source": "MITRE", + "title": "Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets" + }, + "related": [], + "uuid": "8512c5fd-2ddc-5de4-bb7d-8012402efbb5", + "value": "SentinelOne Gootloader June 2021" + }, { "description": "Antonio Pirozzi. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 7, 2023.", "meta": { @@ -23730,6 +25151,21 @@ "uuid": "098bf58f-3868-4892-bb4d-c78ce8817a02", "value": "Cybereason Gootloader February 2023" }, + { + "description": "GoTo. (n.d.). GoTo Resolve. Retrieved October 11, 2024.", + "meta": { + "date_accessed": "2024-10-11T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.goto.com/it-management/resolve" + ], + "source": "Tidal Cyber", + "title": "GoTo Resolve" + }, + "related": [], + "uuid": "f1a13cad-b77e-4c38-925c-038a4fcec8d3", + "value": "GoTo Resolve" + }, { "description": "Jim Walter. (2023, January 16). Gotta Catch 'Em All . Retrieved January 1, 2024.", "meta": { @@ -23774,6 +25210,21 @@ "uuid": "77624549-e170-5894-9219-a15b4aa31726", "value": "Secureworks BRONZE SILHOUETTE May 2023" }, + { + "description": "Morgan, K. (2023, October 18). Government-backed actors exploiting WinRAR vulnerability. Retrieved July 19, 2024.", + "meta": { + "date_accessed": "2024-07-19T00:00:00Z", + "date_published": "2023-10-18T00:00:00Z", + "refs": [ + "https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/" + ], + "source": "MITRE", + "title": "Government-backed actors exploiting WinRAR vulnerability" + }, + "related": [], + "uuid": "009ac8a4-7e2b-543e-82aa-ce3cc9f0c35e", + "value": "Google_WinRAR_vuln_2023" + }, { "description": "Kate Morgan. (2023, October 18). Government-backed actors exploiting WinRAR vulnerability. Retrieved July 10, 2024.", "meta": { @@ -23790,6 +25241,20 @@ "uuid": "6e8fb629-4bb8-4557-9d42-385060be598f", "value": "Google TAG CVE-2023-38831 October 18 2023" }, + { + "description": "US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024.", + "meta": { + "date_accessed": "2024-06-10T00:00:00Z", + "refs": [ + "https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical" + ], + "source": "MITRE", + "title": "Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure" + }, + "related": [], + "uuid": "55cf0ced-0de3-5af8-b3e6-3c33bb445593", + "value": "DOJ KVBotnet 2024" + }, { "description": "Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.", "meta": { @@ -23895,6 +25360,21 @@ "uuid": "a2d4bca5-d57d-4a77-95c6-409f90115e2f", "value": "IBM Grandoreiro April 2020" }, + { + "description": "Keza MacDonald, Keith Stuart and Alex Hern. (2022, September 19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2022-09-19T00:00:00Z", + "refs": [ + "https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen" + ], + "source": "MITRE", + "title": "Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?" + }, + "related": [], + "uuid": "ec648a9b-025a-52a0-a98a-7ba04388d52e", + "value": "Guardian Grand Theft Auto Leak 2022" + }, { "description": "AWS. (n.d.). Granting a user permissions to pass a role to an AWS service. Retrieved July 10, 2023.", "meta": { @@ -24190,6 +25670,48 @@ "uuid": "3fad6618-5a85-4f7a-be2b-0600269d7768", "value": "GTFObins at" }, + { + "description": "AWS. (n.d.). GuardDuty EC2 finding types. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html" + ], + "source": "MITRE", + "title": "GuardDuty EC2 finding types" + }, + "related": [], + "uuid": "249f1a90-d6ed-503c-998c-a9d1650509d2", + "value": "AWS GuardDuty EC2 finding types" + }, + { + "description": "AWS. (n.d.). GuardDuty IAM finding types. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html" + ], + "source": "MITRE", + "title": "GuardDuty IAM finding types" + }, + "related": [], + "uuid": "215a79b4-c25b-5b09-912a-6b68914bb1ba", + "value": "AWS GuardDuty IAM finding types" + }, + { + "description": "AWS. (n.d.). GuardDuty RDS Protection. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html" + ], + "source": "MITRE", + "title": "GuardDuty RDS Protection" + }, + "related": [], + "uuid": "4c6101f0-25d9-5ed1-98a2-a0c468e3ff1a", + "value": "AWS GuardDuty RDS Protection" + }, { "description": "Rotem Sde-Or. (2022, February 15). Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months. Retrieved October 23, 2023.", "meta": { @@ -24236,6 +25758,20 @@ "uuid": "b42f119d-144a-470a-b9fe-ccbf80a78fbb", "value": "Unit 42 NETWIRE April 2020" }, + { + "description": "HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1, 2024.", + "meta": { + "date_accessed": "2024-07-01T00:00:00Z", + "refs": [ + "https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts" + ], + "source": "MITRE", + "title": "GWS - App Scripts" + }, + "related": [], + "uuid": "32569f13-e383-576c-813c-52490450464d", + "value": "Cloud Hack Tricks GWS Apps Script" + }, { "description": "www.picussecurity.com. (n.d.). H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware. Retrieved May 19, 2023.", "meta": { @@ -24341,6 +25877,36 @@ "uuid": "97d16d3a-98a0-4a7d-9f74-8877c8088ddf", "value": "Data Destruction - Threat Post" }, + { + "description": "Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.", + "meta": { + "date_accessed": "2024-07-01T00:00:00Z", + "date_published": "2021-02-18T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette" + ], + "source": "MITRE", + "title": "Hackers abuse Google Apps Script to steal credit cards, bypass CSP" + }, + "related": [], + "uuid": "590687ce-0d66-584d-a6bf-8e7288f00d1e", + "value": "GWS Apps Script Abuse 2021" + }, + { + "description": "Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting tool to deploy malware. Retrieved July 8, 2024.", + "meta": { + "date_accessed": "2024-07-08T00:00:00Z", + "date_published": "2023-01-04T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/" + ], + "source": "MITRE", + "title": "Hackers abuse Windows error reporting tool to deploy malware" + }, + "related": [], + "uuid": "f7ab464d-255b-5d92-a878-c16c905c057b", + "value": "Bleeping Computer - Scriptrunner.exe" + }, { "description": "Katrina Manson. (2024, May 8). Hackers Behind MGM Attack Targeting Financial Sector in New Campaign. Retrieved May 22, 2024.", "meta": { @@ -24779,21 +26345,6 @@ "uuid": "95d6d1ce-ceba-48ee-88c4-0fb30058bd80", "value": "Specter Ops - Cloud Credential Storage" }, - { - "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "date_published": "2019-09-23T00:00:00Z", - "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/" - ], - "source": "MITRE", - "title": "Hello! My name is Dtrack" - }, - "related": [], - "uuid": "a011b68a-30e0-4204-9bf3-fa73f2a238b4", - "value": "Securelist Dtrack2" - }, { "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.", "meta": { @@ -24810,19 +26361,19 @@ "value": "Securelist Dtrack" }, { - "description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.", + "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", "meta": { - "date_accessed": "2012-11-08T00:00:00Z", - "date_published": "2012-11-08T00:00:00Z", + "date_accessed": "2022-09-30T00:00:00Z", + "date_published": "2019-09-23T00:00:00Z", "refs": [ - "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464" + "https://securelist.com/my-name-is-dtrack/93338/" ], "source": "MITRE", - "title": "Help eliminate unquoted path vulnerabilities" + "title": "Hello! My name is Dtrack" }, "related": [], - "uuid": "23ad5a8c-cbe1-4f40-8757-f1784a4003a1", - "value": "Help eliminate unquoted path" + "uuid": "a011b68a-30e0-4204-9bf3-fa73f2a238b4", + "value": "Securelist Dtrack2" }, { "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.", @@ -24839,6 +26390,21 @@ "uuid": "9b234329-5e05-4035-af38-dd8ab20fd68e", "value": "Baggett 2012" }, + { + "description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.", + "meta": { + "date_accessed": "2012-11-08T00:00:00Z", + "date_published": "2012-11-08T00:00:00Z", + "refs": [ + "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464" + ], + "source": "MITRE", + "title": "Help eliminate unquoted path vulnerabilities" + }, + "related": [], + "uuid": "23ad5a8c-cbe1-4f40-8757-f1784a4003a1", + "value": "Help eliminate unquoted path" + }, { "description": "Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.", "meta": { @@ -24855,12 +26421,12 @@ "value": "Default VBS macros Blocking" }, { - "description": "Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved April 11, 2018.", + "description": "Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved September 12, 2024.", "meta": { - "date_accessed": "2018-04-11T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2018-01-31T00:00:00Z", "refs": [ - "https://twitter.com/ItsReallyNick/status/958789644165894146" + "https://x.com/ItsReallyNick/status/958789644165894146" ], "source": "MITRE", "title": "Here is some early bad cmstp.exe.." @@ -25054,7 +26620,7 @@ "date_accessed": "2016-01-22T00:00:00Z", "date_published": "2015-05-14T00:00:00Z", "refs": [ - "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" + "https://web.archive.org/web/20240119213200/https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" ], "source": "MITRE, Tidal Cyber", "title": "Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic" @@ -25063,6 +26629,21 @@ "uuid": "a303f97a-72dd-4833-bac7-a421addc3242", "value": "FireEye APT17" }, + { + "description": "Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske. (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries. Retrieved July 15, 2024.", + "meta": { + "date_accessed": "2024-07-15T00:00:00Z", + "date_published": "2023-03-16T00:00:00Z", + "refs": [ + "https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/" + ], + "source": "MITRE", + "title": "Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries" + }, + "related": [], + "uuid": "38ed8950-413b-56b5-98c3-ae6420850dc4", + "value": "ATTACK IQ" + }, { "description": "Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. Retrieved January 19, 2020.", "meta": { @@ -25215,6 +26796,22 @@ "uuid": "f5e43446-04ea-4dcd-be3a-22f8b10b8aa1", "value": "Hive Ransomware Analysis | Kroll" }, + { + "description": "Martin Zugec. (2023, November 9). Hive Ransomware's Offspring: Hunters International Takes the Stage. Retrieved October 4, 2024.", + "meta": { + "date_accessed": "2024-10-04T00:00:00Z", + "date_published": "2023-11-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.bitdefender.com/en-us/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage/" + ], + "source": "Tidal Cyber", + "title": "Hive Ransomware's Offspring: Hunters International Takes the Stage" + }, + "related": [], + "uuid": "ae0a88d6-bd46-4b22-bfb1-25003bfe83d7", + "value": "Bitdefender Hunters International November 9 2023" + }, { "description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.", "meta": { @@ -25349,6 +26946,21 @@ "uuid": "6a013c48-3b58-5b87-9af5-0b7d01f27c48", "value": "Andy Greenberg June 2017" }, + { + "description": "Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps to Enumerate Users and Discover Sensitive Information. Retrieved July 18, 2024.", + "meta": { + "date_accessed": "2024-07-18T00:00:00Z", + "date_published": "2023-02-22T00:00:00Z", + "refs": [ + "https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a" + ], + "source": "MITRE", + "title": "How Attackers Can Misuse Sitemaps to Enumerate Users and Discover Sensitive Information" + }, + "related": [], + "uuid": "b52dcca4-19cb-5b95-9c5e-8b5c81fd986f", + "value": "Perez Sitemap XML 2023" + }, { "description": "Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.", "meta": { @@ -25529,6 +27141,37 @@ "uuid": "e6136a63-81fe-4363-8d98-f7d1e85a0f2b", "value": "Cyware Social Media" }, + { + "description": "James. (2024, October 2). How Infostealers Are Bypassing New Chrome Security Feature to Steal User Session Cookies. Retrieved October 13, 2024.", + "meta": { + "date_accessed": "2024-10-13T00:00:00Z", + "date_published": "2024-10-02T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://spycloud.com/blog/infostealers-bypass-new-chrome-security-feature/" + ], + "source": "Tidal Cyber", + "title": "How Infostealers Are Bypassing New Chrome Security Feature to Steal User Session Cookies" + }, + "related": [], + "uuid": "9e680ab4-5d8d-46a1-a1e8-2ca2914bb93f", + "value": "SpyCloud Stealers Chrome Bypass October 2 2024" + }, + { + "description": "Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2015-03-09T00:00:00Z", + "refs": [ + "https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/" + ], + "source": "MITRE", + "title": "How Malware Generates Mutex Names to Evade Detection" + }, + "related": [], + "uuid": "31352deb-6c9d-5f1d-be73-60ccd0ccae93", + "value": "ICS Mutexes 2015" + }, { "description": "Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.", "meta": { @@ -25722,6 +27365,21 @@ "uuid": "ee1abe19-f38b-5127-8377-f13f57f2abcb", "value": "BOA Telephone Scams" }, + { + "description": "Moussa Diallo and Brett Winterford. (2024, April 26). How to Block Anonymizing Services using Okta. Retrieved May 28, 2024.", + "meta": { + "date_accessed": "2024-05-28T00:00:00Z", + "date_published": "2024-04-26T00:00:00Z", + "refs": [ + "https://sec.okta.com/blockanonymizers" + ], + "source": "MITRE", + "title": "How to Block Anonymizing Services using Okta" + }, + "related": [], + "uuid": "5790f25c-d1a5-5fb9-b213-0d84a6570c4c", + "value": "Okta Block Anonymizing Services" + }, { "description": "Fehrman, B. (2017, April 13). How to Bypass Web-Proxy Filtering. Retrieved September 20, 2019.", "meta": { @@ -25915,6 +27573,20 @@ "uuid": "695f3d20-7a46-5a4a-aef0-0a05a5e35304", "value": "Find Wi-Fi Password on Mac" }, + { + "description": "Stack Overflow. (n.d.). How to find the location of the Scheduled Tasks folder. Retrieved June 19, 2024.", + "meta": { + "date_accessed": "2024-06-19T00:00:00Z", + "refs": [ + "https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder" + ], + "source": "MITRE", + "title": "How to find the location of the Scheduled Tasks folder" + }, + "related": [], + "uuid": "cf995fb6-33ac-51ea-a9ce-c18d9cfd56f1", + "value": "Stack Overflow" + }, { "description": "Microsoft. (2016, October 20). How to: Find the Web Application Root. Retrieved July 27, 2018.", "meta": { @@ -26030,6 +27702,21 @@ "uuid": "51584201-40a4-4e39-ad23-14453e1eea46", "value": "HowToGeek ShowExtension" }, + { + "description": "Jeff Levine. (2017, January 3). How to Monitor AWS Account Configuration Changes and API Calls to Amazon EC2 Security Groups. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "date_published": "2017-01-03T00:00:00Z", + "refs": [ + "https://aws.amazon.com/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/" + ], + "source": "MITRE", + "title": "How to Monitor AWS Account Configuration Changes and API Calls to Amazon EC2 Security Groups" + }, + "related": [], + "uuid": "c61d45fa-d6ec-5c8f-83ca-474ac43376f6", + "value": "AWS Monitor API Calls to EC2 Security Groups" + }, { "description": "Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022.", "meta": { @@ -26508,6 +28195,21 @@ "uuid": "e5944e4c-76c6-55d1-97ec-8367b7f98c28", "value": "Microsoft Subscription Hijacking 2022" }, + { + "description": "Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved September 23, 2024.", + "meta": { + "date_accessed": "2024-09-23T00:00:00Z", + "date_published": "2022-05-25T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/" + ], + "source": "MITRE", + "title": "Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun" + }, + "related": [], + "uuid": "e7b7aee0-486e-5936-9b01-446dce22f917", + "value": "Harries JustForFun 2022" + }, { "description": "Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022.", "meta": { @@ -26744,6 +28446,21 @@ "uuid": "325988b8-1c7d-4296-83d6-bfcbe533b75e", "value": "CrowdStrike IceApple May 2022" }, + { + "description": "Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.", + "meta": { + "date_accessed": "2024-07-24T00:00:00Z", + "date_published": "2022-12-23T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html" + ], + "source": "MITRE", + "title": "IcedID Botnet Distributors Abuse Google PPC to Distribute Malware" + }, + "related": [], + "uuid": "d7584086-0a3c-5047-af06-760a295442eb", + "value": "Trendmicro_IcedID" + }, { "description": "Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.", "meta": { @@ -27360,6 +29077,21 @@ "uuid": "7e793738-c132-47bf-90aa-1f0659564d16", "value": "SentinelOne September 21 2023" }, + { + "description": "Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "date_published": "2024-03-27T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/" + ], + "source": "MITRE", + "title": "INC Ransom threatens to leak 3TB of NHS Scotland stolen data" + }, + "related": [], + "uuid": "fbfd6be8-acc7-5ed4-b2b7-9248c2c27682", + "value": "Bleeping Computer INC Ransomware March 2024" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, July 6). Increased Truebot Activity Infects U.S. and Canada Based Networks. Retrieved July 6, 2023.", "meta": { @@ -27512,12 +29244,12 @@ "value": "FBI Flash Diavol January 2022" }, { - "description": "FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved April 1, 2021.", + "description": "FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2021-04-01T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2020-11-19T00:00:00Z", "refs": [ - "https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf" + "https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf" ], "source": "MITRE", "title": "Indicators of Compromise Associated with Ragnar Locker Ransomware" @@ -27737,6 +29469,21 @@ "uuid": "5033e741-834c-49d6-bc89-f64b9508f8b5", "value": "SentinelOne MacMa Nov 2021" }, + { + "description": "Phil Stokes. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved July 26, 2024.", + "meta": { + "date_accessed": "2024-07-26T00:00:00Z", + "date_published": "2021-11-15T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/" + ], + "source": "MITRE", + "title": "Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma" + }, + "related": [], + "uuid": "4994f4e6-4ae4-58b8-8cf8-ab62b2c92d79", + "value": "SentinelOne Macma 2021" + }, { "description": "Michael Stump. (2003). Information Security Reading Room Securing SNMP: A Look atNet-SNMP (SNMPv3). Retrieved October 19, 2020.", "meta": { @@ -28450,6 +30197,22 @@ "uuid": "cca306e5-f9da-4782-a06f-ba3ad70e34ca", "value": "GitHub Inveigh" }, + { + "description": "Mandiant. (2024, October 24). Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) . Retrieved October 25, 2024.", + "meta": { + "date_accessed": "2024-10-25T00:00:00Z", + "date_published": "2024-10-24T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575" + ], + "source": "Tidal Cyber", + "title": "Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)" + }, + "related": [], + "uuid": "71ffc061-2231-4841-bcee-c30f713f08a1", + "value": "Google Cloud October 24 2024" + }, { "description": "Piper, S.. (2018, September 24). Investigating Malicious AMIs. Retrieved March 30, 2021.", "meta": { @@ -28465,6 +30228,37 @@ "uuid": "e93e16fc-4ae4-4f1f-9d80-dc48c1c30e25", "value": "Summit Route Malicious AMIs" }, + { + "description": "Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "date_published": "2023-08-11T00:00:00Z", + "refs": [ + "https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" + ], + "source": "MITRE", + "title": "Investigating New INC Ransom Group Activity" + }, + "related": [], + "uuid": "d315547d-26e3-5130-a794-658eecf1e0df", + "value": "Huntress INC Ransom Group August 2023" + }, + { + "description": "Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved October 4, 2024.", + "meta": { + "date_accessed": "2024-10-04T00:00:00Z", + "date_published": "2023-08-11T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" + ], + "source": "Tidal Cyber", + "title": "Investigating New INC Ransom Group Activity" + }, + "related": [], + "uuid": "37c82ff5-f565-445b-9fa5-bb172b5f425c", + "value": "Huntress INC Ransomware August 11 2023" + }, { "description": "Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.", "meta": { @@ -28644,20 +30438,6 @@ "uuid": "956b3d80-4e19-4cab-a65f-ad86f233aa12", "value": "GitHub Invoke-Obfuscation" }, - { - "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "refs": [ - "https://github.com/peewpw/Invoke-PSImage" - ], - "source": "MITRE", - "title": "Invoke-PSImage" - }, - "related": [], - "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", - "value": "GitHub PSImage" - }, { "description": "Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.", "meta": { @@ -28673,6 +30453,20 @@ "uuid": "dd210b79-bd5f-4282-9542-4d1ae2f16438", "value": "GitHub Invoke-PSImage" }, + { + "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "refs": [ + "https://github.com/peewpw/Invoke-PSImage" + ], + "source": "MITRE", + "title": "Invoke-PSImage" + }, + "related": [], + "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", + "value": "GitHub PSImage" + }, { "description": "PowerShellMafia. (2016, December 14). Invoke-Shellcode. Retrieved May 25, 2023.", "meta": { @@ -28703,6 +30497,21 @@ "uuid": "4ce05edd-da25-4559-8489-b78cdd2c0f3d", "value": "Wikipedia Xen" }, + { + "description": "Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.", + "meta": { + "date_accessed": "2024-07-08T00:00:00Z", + "date_published": "2024-05-22T00:00:00Z", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks" + ], + "source": "MITRE", + "title": "IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders" + }, + "related": [], + "uuid": "3852fe26-53ad-504f-9328-7e249d121ebd", + "value": "ORB Mandiant" + }, { "description": "Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.", "meta": { @@ -28869,6 +30678,37 @@ "uuid": "24ea6a5d-2593-4639-8616-72988bf2fa07", "value": "BitDefender Chafer May 2020" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2024, October 16). Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations. Retrieved October 17, 2024.", + "meta": { + "date_accessed": "2024-10-17T00:00:00Z", + "date_published": "2024-10-16T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a" + ], + "source": "Tidal Cyber", + "title": "Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations" + }, + "related": [], + "uuid": "a70a4487-eaae-43b3-bfe0-0677fd911959", + "value": "U.S. CISA Iranian Actors Critical Infrastructure October 16 2024" + }, + { + "description": "INSIKT GROUP. (2020, January 7). Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access. Retrieved May 22, 2024.", + "meta": { + "date_accessed": "2024-05-22T00:00:00Z", + "date_published": "2020-01-07T00:00:00Z", + "refs": [ + "https://www.recordedfuture.com/blog/iranian-cyber-response" + ], + "source": "MITRE", + "title": "Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access" + }, + "related": [], + "uuid": "a83365fb-aae4-57ca-9d11-1ad14d27976f", + "value": "RecordedFuture IranianResponse 2020" + }, { "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.", "meta": { @@ -29022,6 +30862,21 @@ "uuid": "593e8f9f-88ec-4bdc-90c3-1a320fa8a041", "value": "Check Point APT34 April 2021" }, + { + "description": "Microsoft Threat Intelligence. (2023, May 2). Iran turning to cyber-enabled influence operations for greater effect. Retrieved May 21, 2024.", + "meta": { + "date_accessed": "2024-05-21T00:00:00Z", + "date_published": "2023-05-02T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/05/Iran-turning-to-cyber-enabled-influence-operations-for-greater-effect-05022023.pdf" + ], + "source": "MITRE", + "title": "Iran turning to cyber-enabled influence operations for greater effect" + }, + "related": [], + "uuid": "08053c85-68ba-538b-b2f6-7ea0df654900", + "value": "Microsoft Iran Cyber 2023" + }, { "description": "Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020.", "meta": { @@ -29437,12 +31292,12 @@ "value": "CitizenLab KeyBoy Nov 2016" }, { - "description": "Carr, N. (2017, December 22). ItsReallyNick Status Update. Retrieved April 9, 2018.", + "description": "Carr, N. (2017, December 22). ItsReallyNick Status Update. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2018-04-09T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-12-22T00:00:00Z", "refs": [ - "https://twitter.com/ItsReallyNick/status/944321013084573697" + "https://x.com/ItsReallyNick/status/944321013084573697" ], "source": "MITRE", "title": "ItsReallyNick Status Update" @@ -29482,12 +31337,12 @@ "value": "Trend Micro IXESHE 2012" }, { - "description": "James. (2019, July 14). @James_inthe_box. Retrieved March 28, 2022.", + "description": "James. (2019, July 14). @James_inthe_box. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2022-03-28T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2019-07-14T00:00:00Z", "refs": [ - "https://twitter.com/james_inthe_box/status/1150495335812177920" + "https://x.com/james_inthe_box/status/1150495335812177920" ], "source": "MITRE", "title": "@James_inthe_box" @@ -29676,21 +31531,6 @@ "uuid": "09c99ca2-5f10-5f78-9ba3-5e0e79ce8d96", "value": "Microsoft PS JEA" }, - { - "description": "Office of Public Affairs. (2024, February 15). Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). Retrieved March 28, 2024.", - "meta": { - "date_accessed": "2024-03-28T00:00:00Z", - "date_published": "2024-02-15T00:00:00Z", - "refs": [ - "https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian" - ], - "source": "MITRE", - "title": "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)" - }, - "related": [], - "uuid": "957488f8-c2a8-54b0-a3cb-7b510640a2c4", - "value": "Justice GRU 2024" - }, { "description": "Office of Public Affairs. (2024, February 15). Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). Retrieved February 29, 2024.", "meta": { @@ -29708,19 +31548,19 @@ "value": "U.S. Justice Department GRU Botnet February 2024" }, { - "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.", + "description": "Office of Public Affairs. (2024, February 15). Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). Retrieved March 28, 2024.", "meta": { - "date_accessed": "2022-05-27T00:00:00Z", - "date_published": "2020-06-13T00:00:00Z", + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2024-02-15T00:00:00Z", "refs": [ - "https://o365blog.com/post/just-looking/" + "https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian" ], "source": "MITRE", - "title": "Just looking: Azure Active Directory reconnaissance as an outsider" + "title": "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)" }, "related": [], - "uuid": "42dad2a3-5b33-4be4-a19b-58a27fb3ee5d", - "value": "Azure Active Directory Reconnaisance" + "uuid": "957488f8-c2a8-54b0-a3cb-7b510640a2c4", + "value": "Justice GRU 2024" }, { "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.", @@ -29737,6 +31577,21 @@ "uuid": "16565eaf-44fb-44f4-b490-40dc1160ff2b", "value": "Azure AD Recon" }, + { + "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.", + "meta": { + "date_accessed": "2022-05-27T00:00:00Z", + "date_published": "2020-06-13T00:00:00Z", + "refs": [ + "https://o365blog.com/post/just-looking/" + ], + "source": "MITRE", + "title": "Just looking: Azure Active Directory reconnaissance as an outsider" + }, + "related": [], + "uuid": "42dad2a3-5b33-4be4-a19b-58a27fb3ee5d", + "value": "Azure Active Directory Reconnaisance" + }, { "description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.", "meta": { @@ -29767,6 +31622,21 @@ "uuid": "459fcde2-7ac3-4640-a5bc-cd8750e54962", "value": "Kali Redsnarf" }, + { + "description": "Hull, D. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", + "meta": { + "date_accessed": "2019-10-10T00:00:00Z", + "date_published": "2014-05-03T00:00:00Z", + "refs": [ + "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html" + ], + "source": "MITRE", + "title": "Kansa: Service related collectors and analysis" + }, + "related": [], + "uuid": "58d5bc0b-8548-4c3a-8302-e07df3b961ff", + "value": "TrustedSignal Service Failure" + }, { "description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", "meta": { @@ -29783,19 +31653,19 @@ "value": "Kansa Service related collectors" }, { - "description": "Hull, D. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", + "description": "Cybersecurity Infrastructure and Defense Agency. (2022, June 2). Karakurt Data Extortion Group. Retrieved March 10, 2023.", "meta": { - "date_accessed": "2019-10-10T00:00:00Z", - "date_published": "2014-05-03T00:00:00Z", + "date_accessed": "2023-03-10T00:00:00Z", + "date_published": "2022-06-02T00:00:00Z", "refs": [ - "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html" + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a" ], "source": "MITRE", - "title": "Kansa: Service related collectors and analysis" + "title": "Karakurt Data Extortion Group" }, "related": [], - "uuid": "58d5bc0b-8548-4c3a-8302-e07df3b961ff", - "value": "TrustedSignal Service Failure" + "uuid": "5a9a79fa-532b-582b-9741-cb732803cd22", + "value": "CISA Karakurt 2022" }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, December 12). Karakurt Data Extortion Group. Retrieved May 1, 2024.", @@ -29814,19 +31684,20 @@ "value": "U.S. CISA Karakurt December 12 2023" }, { - "description": "Cybersecurity Infrastructure and Defense Agency. (2022, June 2). Karakurt Data Extortion Group. Retrieved March 10, 2023.", + "description": "GReAT. (2023, October 24). Kaspersky crimeware report GoPIX, Lumar, and Rhysida.. Retrieved October 10, 2024.", "meta": { - "date_accessed": "2023-03-10T00:00:00Z", - "date_published": "2022-06-02T00:00:00Z", + "date_accessed": "2024-10-10T00:00:00Z", + "date_published": "2023-10-24T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a" + "https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/" ], - "source": "MITRE", - "title": "Karakurt Data Extortion Group" + "source": "Tidal Cyber", + "title": "Kaspersky crimeware report GoPIX, Lumar, and Rhysida." }, "related": [], - "uuid": "5a9a79fa-532b-582b-9741-cb732803cd22", - "value": "CISA Karakurt 2022" + "uuid": "0f9fca8c-4ab8-41e8-b034-3a1f41f5cb0d", + "value": "Kaspersky October 24 2023" }, { "description": "Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.", @@ -30243,21 +32114,6 @@ "uuid": "502cc03b-350b-4e2d-9436-364c43a0a203", "value": "Flashpoint Glossary Killnet" }, - { - "description": "Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024.", - "meta": { - "date_accessed": "2024-01-10T00:00:00Z", - "date_published": "2021-06-01T00:00:00Z", - "refs": [ - "https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor" - ], - "source": "MITRE", - "title": "Kimsuky APT continues to target South Korean government using AppleSeed backdoor" - }, - "related": [], - "uuid": "8b0dd1d7-dc9c-50d3-a47e-20304591ac40", - "value": "Kimsuky Malwarebytes" - }, { "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", "meta": { @@ -30273,6 +32129,21 @@ "uuid": "9a497c56-f1d3-4889-8c1a-14b013f14668", "value": "Malwarebytes Kimsuky June 2021" }, + { + "description": "Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024.", + "meta": { + "date_accessed": "2024-01-10T00:00:00Z", + "date_published": "2021-06-01T00:00:00Z", + "refs": [ + "https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor" + ], + "source": "MITRE", + "title": "Kimsuky APT continues to target South Korean government using AppleSeed backdoor" + }, + "related": [], + "uuid": "8b0dd1d7-dc9c-50d3-a47e-20304591ac40", + "value": "Kimsuky Malwarebytes" + }, { "description": "Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.", "meta": { @@ -30333,6 +32204,22 @@ "uuid": "b72dd3a1-62ca-4a05-96a8-c4bddb17db50", "value": "BRI Kimsuky April 2019" }, + { + "description": "Tyler McLellan, Brandan Schondorfer. (2021, November 29). Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again. Retrieved October 3, 2024.", + "meta": { + "date_accessed": "2024-10-03T00:00:00Z", + "date_published": "2021-11-29T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/" + ], + "source": "Tidal Cyber", + "title": "Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again" + }, + "related": [], + "uuid": "ab3a20a5-2df1-4f8e-989d-baa96ffaca74", + "value": "Mandiant Sabbath Ransomware November 29 2021" + }, { "description": "Microsoft. (2021, March 3). klist. Retrieved October 14, 2021.", "meta": { @@ -30364,12 +32251,12 @@ "value": "FireEye Know Your Enemy FIN8 Aug 2016" }, { - "description": "Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.", + "description": "Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.", "meta": { - "date_accessed": "2018-06-18T00:00:00Z", + "date_accessed": "2024-09-27T00:00:00Z", "date_published": "2017-07-19T00:00:00Z", "refs": [ - "https://github.com/zerosum0x0/koadic" + "https://github.com/offsecginger/koadic" ], "source": "MITRE", "title": "Koadic" @@ -30583,6 +32470,36 @@ "uuid": "8fcbd99a-1fb8-4ca3-9efd-a98734d4397d", "value": "Wits End and Shady PowerShell Profiles" }, + { + "description": "Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2023-08-17T00:00:00Z", + "refs": [ + "https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/" + ], + "source": "MITRE", + "title": "LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab" + }, + "related": [], + "uuid": "aa0820ed-62ae-578a-adbe-e6597551f069", + "value": "Sysdig Cryptojacking Proxyjacking 2023" + }, + { + "description": "Detecting AI resource-hijacking with Composite Alerts. (2024, June 6). Lacework Labs. Retrieved July 1, 2024.", + "meta": { + "date_accessed": "2024-07-01T00:00:00Z", + "date_published": "2024-06-06T00:00:00Z", + "refs": [ + "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + ], + "source": "MITRE", + "title": "Lacework Labs" + }, + "related": [], + "uuid": "920e7b38-6f0f-522c-9e73-9e81da1343f7", + "value": "Lacework AI Resource Hijacking 2024" + }, { "description": "AWS. (n.d.). Lambda execution role. Retrieved February 28, 2024.", "meta": { @@ -30702,6 +32619,36 @@ "uuid": "f9ca049c-5cab-4d80-a84b-1695365871e3", "value": "Jacobsen 2014" }, + { + "description": "Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "refs": [ + "https://www.bitsight.com/blog/latrodectus-are-you-coming-back" + ], + "source": "MITRE", + "title": "Latrodectus, are you coming back?" + }, + "related": [], + "uuid": "9a942e75-3541-5b8d-acde-8f2a3447184a", + "value": "Bitsight Latrodectus June 2024" + }, + { + "description": "Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.", + "meta": { + "date_accessed": "2024-05-31T00:00:00Z", + "date_published": "2024-04-04T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" + ], + "source": "MITRE", + "title": "Latrodectus: This Spider Bytes Like Ice" + }, + "related": [], + "uuid": "23f46e51-cfb9-516f-88a6-824893293deb", + "value": "Latrodectus APR 2024" + }, { "description": "SS64. (n.d.). launchctl. Retrieved March 28, 2020.", "meta": { @@ -30878,8 +32825,8 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", - "value": "Lazarus KillDisk" + "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", + "value": "ESET Lazarus KillDisk April 2018" }, { "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", @@ -30893,8 +32840,8 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", - "value": "ESET Lazarus KillDisk April 2018" + "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", + "value": "Lazarus KillDisk" }, { "description": "Dinesh Devadoss, Phil Stokes. (2022, September 26). Lazarus \"Operation In(ter)ception\" Targets macOS Users Dreaming of Jobs in Crypto. Retrieved March 8, 2024.", @@ -31064,6 +33011,21 @@ "uuid": "44e48c77-59dd-4851-8455-893513b7cf45", "value": "Proofpoint TA505 Mar 2018" }, + { + "description": "Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2024-08-15T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/" + ], + "source": "MITRE", + "title": "Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments" + }, + "related": [], + "uuid": "ad8c7a1b-e31b-5b76-bf3e-bc45e87b2887", + "value": "Unit 42 Leaked Environment Variables 2024" + }, { "description": "Microsoft. (2024, January 9). Learn about data loss prevention. Retrieved March 4, 2024.", "meta": { @@ -31155,12 +33117,12 @@ "value": "LemonDuck" }, { - "description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017.", + "description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2017-12-12T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-12-08T00:00:00Z", "refs": [ - "https://twitter.com/leoloobeek/status/939248813465853953" + "https://x.com/leoloobeek/status/939248813465853953" ], "source": "MITRE", "title": "leoloobeek Status" @@ -31184,6 +33146,21 @@ "uuid": "b8de9dd2-3c57-5417-a24f-0260dff6afc6", "value": "TLDRSec AWS Attacks" }, + { + "description": "Nick Powers. (2023, June 7). Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2023-06-07T00:00:00Z", + "refs": [ + "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5" + ], + "source": "MITRE", + "title": "Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution" + }, + "related": [], + "uuid": "2244bfaa-2a1c-53db-854b-dc5f06d725ec", + "value": "SpectorOps Medium ClickOnce" + }, { "description": "Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved October 15, 2020.", "meta": { @@ -31244,6 +33221,21 @@ "uuid": "6edb3d7d-6b74-4dc4-a866-b81b19810f97", "value": "Cyberreason DCOM DDE Lateral Movement Nov 2017" }, + { + "description": "Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for persistence. Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "date_published": "2024-02-21T00:00:00Z", + "refs": [ + "https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/" + ], + "source": "MITRE", + "title": "Leveraging Linux udev for persistence" + }, + "related": [], + "uuid": "464bb564-c500-55ba-a060-190d95943805", + "value": "Ignacio Udev research 2024" + }, { "description": "Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.", "meta": { @@ -31409,6 +33401,21 @@ "uuid": "148fe0e1-8487-4d49-8966-f14e144372f5", "value": "Avast Linux Trojan Cron Persistence" }, + { + "description": "Ruben Groenewoud. (2024, August 29). Linux Detection Engineering - A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.", + "meta": { + "date_accessed": "2024-10-16T00:00:00Z", + "date_published": "2024-08-29T00:00:00Z", + "refs": [ + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms" + ], + "source": "MITRE", + "title": "Linux Detection Engineering - A Sequel on Persistence Mechanisms" + }, + "related": [], + "uuid": "cbed8c8c-9aec-5692-89cc-6dbb53b86f00", + "value": "Elastic Linux Persistence 2024" + }, { "description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.", "meta": { @@ -31483,21 +33490,6 @@ "uuid": "a73a2819-61bd-5bd2-862d-5eeed344909f", "value": "Polop Linux PrivEsc Gitbook" }, - { - "description": "Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.", - "meta": { - "date_accessed": "2018-09-21T00:00:00Z", - "date_published": "2017-09-15T00:00:00Z", - "refs": [ - "http://man7.org/linux/man-pages/man2/setuid.2.html" - ], - "source": "MITRE", - "title": "Linux Programmer's Manual" - }, - "related": [], - "uuid": "c07e9d6c-18f2-4246-a265-9bec7d833bba", - "value": "setuid man page" - }, { "description": "Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.", "meta": { @@ -31513,6 +33505,21 @@ "uuid": "a8a16cf6-0482-4e98-a39a-496491f985df", "value": "Man LD.SO" }, + { + "description": "Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.", + "meta": { + "date_accessed": "2018-09-21T00:00:00Z", + "date_published": "2017-09-15T00:00:00Z", + "refs": [ + "http://man7.org/linux/man-pages/man2/setuid.2.html" + ], + "source": "MITRE", + "title": "Linux Programmer's Manual" + }, + "related": [], + "uuid": "c07e9d6c-18f2-4246-a265-9bec7d833bba", + "value": "setuid man page" + }, { "description": "Lawrence Abrams. (2023, December 3). Linux version of Qilin ransomware focuses on VMware ESXi. Retrieved January 10, 2024.", "meta": { @@ -31601,6 +33608,21 @@ "uuid": "d1080030-12c7-4223-92ab-fb764acf111d", "value": "Wikipedia OSI" }, + { + "description": "Hexacorn. (2019, April 25). Listplanting – yet another code injection trick. Retrieved August 14, 2024.", + "meta": { + "date_accessed": "2024-08-14T00:00:00Z", + "date_published": "2019-04-25T00:00:00Z", + "refs": [ + "https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/" + ], + "source": "MITRE", + "title": "Listplanting – yet another code injection trick" + }, + "related": [], + "uuid": "fc035d68-8d20-5c1f-8b59-db2fa8d88b7b", + "value": "Hexacorn Listplanting" + }, { "description": "Amazon. (n.d.). List Roles. Retrieved August 11, 2020.", "meta": { @@ -32092,6 +34114,21 @@ "uuid": "c7af164d-549d-44de-b491-542ef2eb4334", "value": "Lolbin Ssh.exe Use As Proxy" }, + { + "description": "Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "date_published": "2024-05-01T00:00:00Z", + "refs": [ + "https://www.huntress.com/blog/lolbin-to-inc-ransomware" + ], + "source": "MITRE", + "title": "LOLBin to INC Ransomware" + }, + "related": [], + "uuid": "3ebccffe-d56d-594a-9548-740cf88a453b", + "value": "Huntress INC Ransomware May 2024" + }, { "description": "Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.", "meta": { @@ -32136,6 +34173,21 @@ "uuid": "77887f82-7815-4a91-8c8a-f77dc8a9ba53", "value": "Proofpoint LookBack Malware Aug 2019" }, + { + "description": "Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2012-07-24T00:00:00Z", + "refs": [ + "https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/" + ], + "source": "MITRE", + "title": "Looking at Mutex Objects for Malware Discovery & Indicators of Compromise" + }, + "related": [], + "uuid": "bfdddac2-7732-5e39-a79e-d0629f20fb60", + "value": "Sans Mutexes 2012" + }, { "description": "Fidelis Cybersecurity. (2015, August 4). Looking at the Sky for a DarkComet. Retrieved April 5, 2016.", "meta": { @@ -32242,6 +34294,20 @@ "uuid": "c2f88274-9da4-5d24-b68d-302ee5990dd5", "value": "lsmod man" }, + { + "description": "Lua. (n.d.). lua_State. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "refs": [ + "https://pgl.yoyo.org/luai/i/lua_State" + ], + "source": "MITRE", + "title": "lua_State" + }, + "related": [], + "uuid": "603c033d-a3b3-5132-8574-7476a8f40815", + "value": "Lua state" + }, { "description": "Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.", "meta": { @@ -32406,21 +34472,6 @@ "uuid": "b3d13a82-c24e-4b47-b47a-7221ad449859", "value": "Kaspersky Lyceum October 2021" }, - { - "description": "SecureWorks. (2019, August 27). LYCEUM Takes Center Stage in Middle East Campaign. Retrieved November 11, 2019", - "meta": { - "date_accessed": "2019-11-11T00:00:00Z", - "date_published": "2019-08-27T00:00:00Z", - "refs": [ - "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" - ], - "source": "MITRE", - "title": "LYCEUM Takes Center Stage in Middle East Campaign" - }, - "related": [], - "uuid": "573edbb6-687b-4bc2-bc4a-764a548633b5", - "value": "SecureWorks August 2019" - }, { "description": "Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.", "meta": { @@ -32525,6 +34576,21 @@ "uuid": "4d631c9a-4fd5-43a4-8b78-4219bd371e87", "value": "MacKeeper Bundlore Apr 2019" }, + { + "description": "Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024.", + "meta": { + "date_accessed": "2024-08-20T00:00:00Z", + "date_published": "2024-05-09T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/" + ], + "source": "MITRE", + "title": "macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge" + }, + "related": [], + "uuid": "b5e0add8-bda6-5cae-85c7-58f7cab1579c", + "value": "SentinelOne Cuckoo Stealer May 2024" + }, { "description": "Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.", "meta": { @@ -32705,21 +34771,6 @@ "uuid": "80bb8646-1eb0-442a-aa51-ee3efaf75915", "value": "alientvault macspy" }, - { - "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.", - "meta": { - "date_accessed": "2021-03-22T00:00:00Z", - "date_published": "2020-07-07T00:00:00Z", - "refs": [ - "https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/" - ], - "source": "MITRE", - "title": "Mac ThiefQuest malware may not be ransomware after all" - }, - "related": [], - "uuid": "47b49df4-34f1-4a89-9983-e8bc19aadf8c", - "value": "reed thiefquest ransomware analysis" - }, { "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.", "meta": { @@ -32735,6 +34786,21 @@ "uuid": "b265ef93-c1fb-440d-a9e0-89cf25a3de05", "value": "Reed thiefquest fake ransom" }, + { + "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.", + "meta": { + "date_accessed": "2021-03-22T00:00:00Z", + "date_published": "2020-07-07T00:00:00Z", + "refs": [ + "https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/" + ], + "source": "MITRE", + "title": "Mac ThiefQuest malware may not be ransomware after all" + }, + "related": [], + "uuid": "47b49df4-34f1-4a89-9983-e8bc19aadf8c", + "value": "reed thiefquest ransomware analysis" + }, { "description": "Jerome Segura. (2023, September 6). Mac users targeted in new malvertising campaign delivering Atomic Stealer. Retrieved April 19, 2024.", "meta": { @@ -32917,12 +34983,12 @@ "value": "enigma0x3 normal.dotm" }, { - "description": "Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.", + "description": "Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2019-07-08T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2016-03-07T00:00:00Z", "refs": [ - "https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/" + "https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/" ], "source": "MITRE", "title": "Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures" @@ -33128,6 +35194,21 @@ "uuid": "6d0da707-2328-4b43-a112-570c1fd5dec1", "value": "Webroot PHP 2011" }, + { + "description": "US-CERT. (2018, February 6). Malware Analysis Report 10135536-G. Retrieved August 15, 2024.", + "meta": { + "date_accessed": "2024-08-15T00:00:00Z", + "date_published": "2018-02-06T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20200324152106/https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF" + ], + "source": "MITRE", + "title": "Malware Analysis Report 10135536-G" + }, + "related": [], + "uuid": "a1a4f554-8320-53ec-abe0-ae9675b2f1d4", + "value": "Malware Analysis Report 10135536-G" + }, { "description": "CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.", "meta": { @@ -33234,6 +35315,21 @@ "uuid": "af2a708d-f96f-49e7-9351-1ea703e614a0", "value": "US-CERT Bankshot Dec 2017" }, + { + "description": "US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved August 15, 2024.", + "meta": { + "date_accessed": "2024-08-15T00:00:00Z", + "date_published": "2017-12-13T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20220529212912/https://www.cisa.gov/uscert/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" + ], + "source": "MITRE", + "title": "Malware Analysis Report (MAR) - 10135536-B" + }, + "related": [], + "uuid": "869fbc47-55f8-5bab-bc62-e507b6be5a16", + "value": "MAR10135536-B" + }, { "description": "US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.", "meta": { @@ -33249,6 +35345,21 @@ "uuid": "a3a5c26c-0d57-4ffc-ae28-3fe828e08fcb", "value": "US-CERT Volgmer 2 Nov 2017" }, + { + "description": "US-CERT. (2018, February 5). Malware Analysis Report (MAR) - 10135536-F. Retrieved August 15, 2024.", + "meta": { + "date_accessed": "2024-08-15T00:00:00Z", + "date_published": "2018-02-05T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20210709132313/https://us-cert.cisa.gov/sites/default/files/publications/MAR-10135536-F.pdf" + ], + "source": "MITRE", + "title": "Malware Analysis Report (MAR) - 10135536-F" + }, + "related": [], + "uuid": "f8089086-bbd5-5b39-95f7-6f09bc30eabf", + "value": "MAR10135536-F" + }, { "description": "US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.", "meta": { @@ -33324,6 +35435,36 @@ "uuid": "47a5d32d-e6a5-46c2-898a-e45dc42371be", "value": "VMRay OSAMiner dynamic analysis 2021" }, + { + "description": "Elkins, T. (2024, July 24). Malware Campaign Lures Users With Fake W2 Form. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-07-24T00:00:00Z", + "refs": [ + "https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/" + ], + "source": "MITRE", + "title": "Malware Campaign Lures Users With Fake W2 Form" + }, + "related": [], + "uuid": "10b5e150-26fa-5024-bd89-87f432b8d5f0", + "value": "Rapid7 Fake W2 July 2024" + }, + { + "description": "Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.", + "meta": { + "date_accessed": "2024-08-20T00:00:00Z", + "date_published": "2024-04-30T00:00:00Z", + "refs": [ + "https://www.kandji.io/blog/malware-cuckoo-infostealer-spyware" + ], + "source": "MITRE", + "title": "Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware" + }, + "related": [], + "uuid": "90c4e23a-e6e7-511d-911c-1f8b64253aff", + "value": "Kandji Cuckoo April 2024" + }, { "description": "Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.", "meta": { @@ -33355,12 +35496,12 @@ "value": "Alperovitch Malware" }, { - "description": "Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved November 22, 2017.", + "description": "Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2017-11-22T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2016-07-18T00:00:00Z", "refs": [ - "https://kjaer.io/extension-malware/" + "https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/" ], "source": "MITRE", "title": "Malware in the browser: how you might get hacked by a Chrome extension" @@ -33444,21 +35585,6 @@ "uuid": "9b52a72b-938a-5eb6-a3b7-5a925657f0a3", "value": "Malware Monday VBE" }, - { - "description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.", - "meta": { - "date_accessed": "2017-07-10T00:00:00Z", - "date_published": "2015-01-01T00:00:00Z", - "refs": [ - "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" - ], - "source": "MITRE", - "title": "Malware Persistence on OS X Yosemite" - }, - "related": [], - "uuid": "d4e3b066-c439-4284-ba28-3b8bd8ec270e", - "value": "Malware Persistence on OS X" - }, { "description": "Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.", "meta": { @@ -33474,6 +35600,21 @@ "uuid": "7e3f3dda-c407-4b06-a6b0-8b72c4dad6e6", "value": "RSAC 2015 San Francisco Patrick Wardle" }, + { + "description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.", + "meta": { + "date_accessed": "2017-07-10T00:00:00Z", + "date_published": "2015-01-01T00:00:00Z", + "refs": [ + "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" + ], + "source": "MITRE", + "title": "Malware Persistence on OS X Yosemite" + }, + "related": [], + "uuid": "d4e3b066-c439-4284-ba28-3b8bd8ec270e", + "value": "Malware Persistence on OS X" + }, { "description": "Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.", "meta": { @@ -33624,6 +35765,21 @@ "uuid": "facf686b-a5a9-4c85-bb46-f56a434d3d78", "value": "Unit 42 Rocke January 2019" }, + { + "description": "Microsoft Azure. (2024, March 21). Manage Azure subscription policies. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2024-03-21T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy" + ], + "source": "MITRE", + "title": "Manage Azure subscription policies" + }, + "related": [], + "uuid": "e20ff2ea-df45-545a-bc99-32e35027472e", + "value": "Azure Subscription Policies" + }, { "description": "LOLBAS. (2018, May 25). Manage-bde.wsf. Retrieved December 4, 2023.", "meta": { @@ -33801,6 +35957,20 @@ "uuid": "6fbbb53f-cd4b-4ce1-942d-5cadb907cf86", "value": "Outlook File Sizes" }, + { + "description": "AWS. (n.d.). Managing the lifecycle of objects. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html" + ], + "source": "MITRE", + "title": "Managing the lifecycle of objects" + }, + "related": [], + "uuid": "2eec4264-6139-5b81-8190-2ea438594412", + "value": "AWS Storage Lifecycles" + }, { "description": "Microsoft. (n.d.). Managing WebDAV Security (IIS 6.0). Retrieved December 21, 2017.", "meta": { @@ -33990,6 +36160,21 @@ "uuid": "3bf24c68-fc98-4143-9dff-f54030c902fe", "value": "InsiderThreat ChangeNTLM July 2017" }, + { + "description": "Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.", + "meta": { + "date_accessed": "2024-09-04T00:00:00Z", + "date_published": "2022-08-02T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/manjusaka-offensive-framework/" + ], + "source": "MITRE", + "title": "Manjusaka: A Chinese sibling of Sliver and Cobalt Strike" + }, + "related": [], + "uuid": "5dd749c8-deff-5813-a7d4-80760bb5e999", + "value": "Talos Manjusaka 2022" + }, { "description": "Starikova, A. (2023, February 14). Man-on-the-side – peculiar attack. Retrieved September 1, 2023.", "meta": { @@ -34514,6 +36699,22 @@ "uuid": "21fe1d9e-17f1-49e2-b05f-78e9160f5414", "value": "Bleeping Computer Medusa Ransomware March 12 2023" }, + { + "description": "RussianPanda. (2023, June 28). Meduza Stealer or The Return of The Infamous Aurora Stealer. Retrieved October 14, 2024.", + "meta": { + "date_accessed": "2024-10-14T00:00:00Z", + "date_published": "2023-06-28T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://russianpanda.com/Meduza-Stealer-or-The-Return-of-The-Infamous-Aurora-Stealer" + ], + "source": "Tidal Cyber", + "title": "Meduza Stealer or The Return of The Infamous Aurora Stealer" + }, + "related": [], + "uuid": "f7d3cc96-4c0f-4a87-8a79-abd3f0f84533", + "value": "Meduza Stealer RussianPanda June 28 2023" + }, { "description": "Lyngaas, S. (2021, February 4). Meet Babuk, a ransomware attacker blamed for the Serco breach. Retrieved August 11, 2021.", "meta": { @@ -34789,7 +36990,7 @@ "date_accessed": "2018-11-13T00:00:00Z", "date_published": "2018-07-25T00:00:00Z", "refs": [ - "https://blog.radware.com/security/2018/07/micropsia-malware/" + "https://www.radware.com/blog/security/2018/07/micropsia-malware/" ], "source": "MITRE", "title": "Micropsia Malware" @@ -35052,6 +37253,21 @@ "uuid": "66cade99-0040-464c-98a6-bba57719f0a4", "value": "Microsoft Internal Solorigate Investigation Blog" }, + { + "description": "MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.", + "meta": { + "date_accessed": "2024-08-06T00:00:00Z", + "date_published": "2022-09-08T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" + ], + "source": "MITRE", + "title": "Microsoft investigates Iranian attacks against the Albanian government" + }, + "related": [], + "uuid": "d00399e9-a6c6-5691-92cd-0185b03b689e", + "value": "Microsoft Albanian Government Attacks September 2022" + }, { "description": "Microsoft TechNet. (n.d.). Retrieved April 25, 2017.", "meta": { @@ -35156,21 +37372,6 @@ "uuid": "86955cd2-5980-44ba-aa7b-4b9f8e347730", "value": "Microsoft WDAC" }, - { - "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", - "meta": { - "date_accessed": "2021-03-16T00:00:00Z", - "date_published": "2020-10-15T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "source": "MITRE", - "title": "Microsoft recommended driver block rules" - }, - "related": [], - "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", - "value": "Microsoft Driver Block Rules" - }, { "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.", "meta": { @@ -35186,6 +37387,21 @@ "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3", "value": "Microsoft driver block rules - Duplicate" }, + { + "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", + "meta": { + "date_accessed": "2021-03-16T00:00:00Z", + "date_published": "2020-10-15T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "source": "MITRE", + "title": "Microsoft recommended driver block rules" + }, + "related": [], + "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", + "value": "Microsoft Driver Block Rules" + }, { "description": "Microsoft. (n.d.). Retrieved January 24, 2020.", "meta": { @@ -35613,21 +37829,6 @@ "uuid": "07ff57eb-1e23-433b-8da7-80f1caf7543e", "value": "ADSecurity AD Kerberos Attacks" }, - { - "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved August 7, 2017.", - "meta": { - "date_accessed": "2017-08-07T00:00:00Z", - "date_published": "2015-09-22T00:00:00Z", - "refs": [ - "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/" - ], - "source": "MITRE", - "title": "Mimikatz and DCSync and ExtraSids, Oh My" - }, - "related": [], - "uuid": "2afa76c1-caa1-4f16-9289-7abc7eb3a102", - "value": "Harmj0y Mimikatz and DCSync" - }, { "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.", "meta": { @@ -35643,6 +37844,21 @@ "uuid": "2a01a70c-28a8-444e-95a7-00a568d51ce6", "value": "Harmj0y DCSync Sept 2015" }, + { + "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved September 23, 2024.", + "meta": { + "date_accessed": "2024-09-23T00:00:00Z", + "date_published": "2015-09-22T00:00:00Z", + "refs": [ + "https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/" + ], + "source": "MITRE", + "title": "Mimikatz and DCSync and ExtraSids, Oh My" + }, + "related": [], + "uuid": "2afa76c1-caa1-4f16-9289-7abc7eb3a102", + "value": "Harmj0y Mimikatz and DCSync" + }, { "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.", "meta": { @@ -35778,6 +37994,21 @@ "uuid": "e8e60112-a08d-5316-b80f-f601e7e5c973", "value": "NCSC-NL COATHANGER Feb 2024" }, + { + "description": "Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach after numbers ported, data accessed. Retrieved July 1, 2024.", + "meta": { + "date_accessed": "2024-07-01T00:00:00Z", + "date_published": "2021-07-10T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/" + ], + "source": "MITRE", + "title": "Mint Mobile hit by a data breach after numbers ported, data accessed" + }, + "related": [], + "uuid": "a5432624-c394-56e6-b463-5b1a1aea542b", + "value": "Bleeping Computer Mint Mobile Hack 2021" + }, { "description": "Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.", "meta": { @@ -35859,7 +38090,7 @@ "date_accessed": "2020-10-19T00:00:00Z", "date_published": "2012-12-01T00:00:00Z", "refs": [ - "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" ], "source": "MITRE", "title": "Mitigating Spoofed Emails Using Sender Policy Framework" @@ -35972,6 +38203,21 @@ "uuid": "3ca314d4-3fcf-4545-8ae9-4d8781d51295", "value": "ELF Injection May 2009" }, + { + "description": "Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September 17, 2024.", + "meta": { + "date_accessed": "2024-09-17T00:00:00Z", + "date_published": "2019-10-28T00:00:00Z", + "refs": [ + "https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee" + ], + "source": "MITRE", + "title": "Modern Wireless Tradecraft Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks" + }, + "related": [], + "uuid": "7e16241a-d906-5eb0-961d-00724f44d903", + "value": "specter ops evil twin" + }, { "description": "Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.", "meta": { @@ -36194,6 +38440,21 @@ "uuid": "72798df8-0e12-46f5-acb0-2fe99bd8dbff", "value": "Windows Event Forwarding Payne" }, + { + "description": "Google Workspace. (2024, March 5). Monitor & restrict data access. Retrieved July 1, 2024.", + "meta": { + "date_accessed": "2024-07-01T00:00:00Z", + "date_published": "2024-03-05T00:00:00Z", + "refs": [ + "https://developers.google.com/apps-script/guides/admin/monitor-restrict-oauth-scopes" + ], + "source": "MITRE", + "title": "Monitor & restrict data access" + }, + "related": [], + "uuid": "9009a8cc-3282-5eac-90f1-525a85d99c0e", + "value": "Google Workspace Apps Script Restrict OAuth Scopes" + }, { "description": "Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022.", "meta": { @@ -36256,6 +38517,21 @@ "uuid": "faf315ed-71f7-4e29-8334-701da35a69ad", "value": "Microsoft Security Blog 5 28 2024" }, + { + "description": "Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.", + "meta": { + "date_accessed": "2024-08-26T00:00:00Z", + "date_published": "2024-05-28T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" + ], + "source": "MITRE", + "title": "Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks" + }, + "related": [], + "uuid": "b9ee14c9-75fe-552e-81b5-a1fd5aa916d7", + "value": "Microsoft Moonstone Sleet 2024" + }, { "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.", "meta": { @@ -36286,21 +38562,6 @@ "uuid": "6851b3f9-0239-40fc-ba44-34a775e9bd4e", "value": "ESET EvilNum July 2020" }, - { - "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", - "meta": { - "date_accessed": "2014-12-05T00:00:00Z", - "date_published": "2010-08-12T00:00:00Z", - "refs": [ - "http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx" - ], - "source": "MITRE", - "title": "More information about the DLL Preloading remote attack vector" - }, - "related": [], - "uuid": "46aa7075-9f0a-461e-8519-5c4860208678", - "value": "Microsoft DLL Preloading" - }, { "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", "meta": { @@ -36316,6 +38577,21 @@ "uuid": "80289c7b-53c1-4aec-9436-04a43a82f769", "value": "Microsoft More information about DLL" }, + { + "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", + "meta": { + "date_accessed": "2014-12-05T00:00:00Z", + "date_published": "2010-08-12T00:00:00Z", + "refs": [ + "http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx" + ], + "source": "MITRE", + "title": "More information about the DLL Preloading remote attack vector" + }, + "related": [], + "uuid": "46aa7075-9f0a-461e-8519-5c4860208678", + "value": "Microsoft DLL Preloading" + }, { "description": "valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.", "meta": { @@ -36405,6 +38681,21 @@ "uuid": "e9c47d8e-f732-45c9-bceb-26c5d564e781", "value": "CrowdStrike Deep Panda Web Shells" }, + { + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", + "meta": { + "date_accessed": "2023-09-25T00:00:00Z", + "date_published": "2023-08-10T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ], + "source": "MITRE", + "title": "MoustachedBouncer: Espionage against foreign diplomats in Belarus" + }, + "related": [], + "uuid": "9070f14b-5d5e-5f6d-bcac-628478e01242", + "value": "MoustachedBouncer ESET August 2023" + }, { "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.", "meta": { @@ -36421,19 +38712,19 @@ "value": "ESET MoustachedBouncer" }, { - "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", + "description": "John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.", "meta": { - "date_accessed": "2023-09-25T00:00:00Z", - "date_published": "2023-08-10T00:00:00Z", + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2023-06-01T00:00:00Z", "refs": [ - "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response" ], "source": "MITRE", - "title": "MoustachedBouncer: Espionage against foreign diplomats in Belarus" + "title": "MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response" }, "related": [], - "uuid": "9070f14b-5d5e-5f6d-bcac-628478e01242", - "value": "MoustachedBouncer ESET August 2023" + "uuid": "6d426568-f760-5624-bdde-934ce3d83c45", + "value": "Huntress MOVEit 2023" }, { "description": "Progress Software. (2023, June 16). MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362). Retrieved July 28, 2023.", @@ -36572,21 +38863,6 @@ "uuid": "a15fff18-5d3f-4898-9e47-ec6ae7dda749", "value": "SRD GPP" }, - { - "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.", - "meta": { - "date_accessed": "2020-02-17T00:00:00Z", - "date_published": "2014-05-13T00:00:00Z", - "refs": [ - "https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati" - ], - "source": "MITRE", - "title": "MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege" - }, - "related": [], - "uuid": "7537c0bb-6f14-4a4a-94cc-98c6ed9e878f", - "value": "MS14-025" - }, { "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.", "meta": { @@ -36602,6 +38878,21 @@ "uuid": "dbe32cbd-8c6e-483f-887c-ea2a5102cf65", "value": "Microsoft MS14-025" }, + { + "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.", + "meta": { + "date_accessed": "2020-02-17T00:00:00Z", + "date_published": "2014-05-13T00:00:00Z", + "refs": [ + "https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati" + ], + "source": "MITRE", + "title": "MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege" + }, + "related": [], + "uuid": "7537c0bb-6f14-4a4a-94cc-98c6ed9e878f", + "value": "MS14-025" + }, { "description": "Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.", "meta": { @@ -36987,7 +39278,7 @@ "date_accessed": "2020-04-24T00:00:00Z", "date_published": "2020-02-01T00:00:00Z", "refs": [ - "https://content.fireeye.com/m-trends/rpt-m-trends-2020" + "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" ], "source": "MITRE", "title": "M-Trends 2020" @@ -37088,11 +39379,26 @@ "value": "TrendMicro POWERSTATS V3 June 2019" }, { - "description": "NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January 30, 2020.", + "description": "Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024.", "meta": { - "date_accessed": "2020-01-30T00:00:00Z", + "date_accessed": "2024-09-24T00:00:00Z", + "date_published": "2024-06-04T00:00:00Z", "refs": [ - "https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication" + "https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/" + ], + "source": "MITRE", + "title": "Muhstik Malware Targets Message Queuing Services Applications" + }, + "related": [], + "uuid": "3cd203fd-f178-5c0f-bccc-ea5d52240304", + "value": "Aquasec Muhstik Malware 2024" + }, + { + "description": "NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "refs": [ + "https://csrc.nist.gov/glossary/term/multi_factor_authentication" ], "source": "MITRE", "title": "Multi-Factor Authentication (MFA)" @@ -37177,6 +39483,21 @@ "uuid": "bddf44bb-7a0a-498b-9831-7b73cf9a582e", "value": "Arbor Musical Chairs Feb 2018" }, + { + "description": "Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2022-03-11T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes" + ], + "source": "MITRE", + "title": "Mutexes" + }, + "related": [], + "uuid": "e1384ecc-7fb9-588c-aca9-a67dc1ca1b60", + "value": "Microsoft Mutexes" + }, { "description": "Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.", "meta": { @@ -37458,12 +39779,12 @@ "value": "NCSC Sandworm Feb 2020" }, { - "description": "Nick Landers. (2017, August 8). Need a signed alternative to Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered.. Retrieved February 6, 2024.", + "description": "Nick Landers. (2017, August 8). Need a signed alternative to Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered.. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2024-02-06T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-08-08T00:00:00Z", "refs": [ - "https://twitter.com/monoxgas/status/895045566090010624" + "https://x.com/monoxgas/status/895045566090010624" ], "source": "MITRE", "title": "Need a signed alternative to Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered." @@ -37472,6 +39793,21 @@ "uuid": "264a4f99-b1dc-5afd-8178-e1f37c3db8ff", "value": "7 - appv" }, + { + "description": "Gabor Szappanos. (2014, February 3). Needle in a haystack. Retrieved July 25, 2024.", + "meta": { + "date_accessed": "2024-07-25T00:00:00Z", + "date_published": "2014-02-03T00:00:00Z", + "refs": [ + "https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack" + ], + "source": "MITRE", + "title": "Needle in a haystack" + }, + "related": [], + "uuid": "d2742561-6d0a-54d6-9c6d-1e2cd789dcc4", + "value": "Szappanos MgBot 2014" + }, { "description": "Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017.", "meta": { @@ -37531,6 +39867,36 @@ "uuid": "75998d1c-69c0-40d2-a64b-43ad8efa05da", "value": "Microsoft Net Utility" }, + { + "description": "Microsoft. (2016, August 31). Net group. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2016-08-31T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)" + ], + "source": "MITRE", + "title": "Net group" + }, + "related": [], + "uuid": "23ec5471-808c-53fa-8bce-36b3982e9dd1", + "value": "Microsoft Net Group" + }, + { + "description": "Microsoft. (2016, August 31). Net Localgroup. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2016-08-31T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)" + ], + "source": "MITRE", + "title": "Net Localgroup" + }, + "related": [], + "uuid": "f7e55413-2e3f-5e46-ba73-75eaa1ed6ec3", + "value": "Microsoft Net Localgroup" + }, { "description": "Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.", "meta": { @@ -37861,12 +40227,12 @@ "value": "Google TAG Lazarus Jan 2021" }, { - "description": "Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved December 20, 2017.", + "description": "Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2017-12-20T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2015-12-15T00:00:00Z", "refs": [ - "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" + "https://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" ], "source": "MITRE", "title": "Newcomers in the Derusbi family" @@ -37890,6 +40256,21 @@ "uuid": "80530288-26a3-4c3e-ace1-47510df10fbd", "value": "Malwarebytes Crossrider Apr 2018" }, + { + "description": "Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.", + "meta": { + "date_accessed": "2024-09-04T00:00:00Z", + "date_published": "2019-12-04T00:00:00Z", + "refs": [ + "https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/" + ], + "source": "MITRE", + "title": "New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East" + }, + "related": [], + "uuid": "26ba5292-265d-5db4-a571-215c984fe095", + "value": "IBM ZeroCleare Wiper December 2019" + }, { "description": "Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018.", "meta": { @@ -37951,19 +40332,19 @@ "value": "Bleeping Computer Evil Corp mimics PayloadBin gang 2022" }, { - "description": "Microsoft Malware Protection Center. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved July 3, 2017.", + "description": "Reliaquest. (2024, May 31). New Execution Technique in ClearFake Campaign. Retrieved August 2, 2024.", "meta": { - "date_accessed": "2017-07-03T00:00:00Z", - "date_published": "2016-03-22T00:00:00Z", + "date_accessed": "2024-08-02T00:00:00Z", + "date_published": "2024-05-31T00:00:00Z", "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" + "https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/" ], "source": "MITRE", - "title": "New feature in Office 2016 can block macros and help prevent infection" + "title": "New Execution Technique in ClearFake Campaign" }, "related": [], - "uuid": "f14f08c5-de51-4827-ba3a-f0598dfbe505", - "value": "TechNet Office Macro Security" + "uuid": "c6febbb5-b994-5996-a42d-56d4cb151e83", + "value": "Reliaquest-execution" }, { "description": "Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.", @@ -37980,6 +40361,21 @@ "uuid": "4d0f4d0a-b812-42f8-a52c-a1f5c69e6337", "value": "Microsoft Block Office Macros" }, + { + "description": "Microsoft Malware Protection Center. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved July 3, 2017.", + "meta": { + "date_accessed": "2017-07-03T00:00:00Z", + "date_published": "2016-03-22T00:00:00Z", + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" + ], + "source": "MITRE", + "title": "New feature in Office 2016 can block macros and help prevent infection" + }, + "related": [], + "uuid": "f14f08c5-de51-4827-ba3a-f0598dfbe505", + "value": "TechNet Office Macro Security" + }, { "description": "Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.", "meta": { @@ -38144,6 +40540,21 @@ "uuid": "f3d3b9bc-4c59-4a1f-b602-e3e884661708", "value": "Unit 42 NOKKI Sept 2018" }, + { + "description": "Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-04-30T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/" + ], + "source": "MITRE", + "title": "New Latrodectus malware attacks use Microsoft, Cloudflare themes" + }, + "related": [], + "uuid": "b138b07e-d68b-5f68-ba74-ddd7bb654fa6", + "value": "Bleeping Computer Latrodectus April 2024" + }, { "description": "Ionut Arghire. (2021, February 24). New ‘LazyScripter’ Hacking Group Targets Airlines. Retrieved January 10, 2024.", "meta": { @@ -38159,6 +40570,21 @@ "uuid": "bafb2088-d3c1-5550-a48e-cf1e84662fcc", "value": "Arghire LazyScripter" }, + { + "description": "Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2021-03-10T00:00:00Z", + "refs": [ + "https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/" + ], + "source": "MITRE", + "title": "New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor" + }, + "related": [], + "uuid": "43d1212a-356c-56f7-be92-78f2ffe17cf2", + "value": "Intezer RedXOR 2021" + }, { "description": "Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.", "meta": { @@ -38220,21 +40646,6 @@ "uuid": "b1540c5c-0bbc-4b9d-9185-fae224ba31be", "value": "Gallagher 2015" }, - { - "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", - "meta": { - "date_accessed": "2019-06-05T00:00:00Z", - "date_published": "2017-11-28T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" - ], - "source": "MITRE", - "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" - }, - "related": [], - "uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47", - "value": "FireEye Ursnif Nov 2017" - }, { "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", "meta": { @@ -38250,6 +40661,21 @@ "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8", "value": "FireEye TLS Nov 2017" }, + { + "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", + "meta": { + "date_accessed": "2019-06-05T00:00:00Z", + "date_published": "2017-11-28T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + ], + "source": "MITRE", + "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" + }, + "related": [], + "uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47", + "value": "FireEye Ursnif Nov 2017" + }, { "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", "meta": { @@ -38657,12 +41083,12 @@ "value": "Eweek Newscaster and Charming Kitten May 2014" }, { - "description": "Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.", + "description": "Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..", "meta": { - "date_accessed": "2019-05-28T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", "date_published": "2019-04-02T00:00:00Z", "refs": [ - "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/" + "https://www.deepinstinct.com/blog/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload" ], "source": "MITRE", "title": "New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload" @@ -38746,6 +41172,21 @@ "uuid": "46be6b77-ee2b-407e-bdd4-5a1183eda7f3", "value": "Blasco 2013" }, + { + "description": "Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2024-06-01T00:00:00Z", + "refs": [ + "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + ], + "source": "MITRE", + "title": "New tactics and techniques for proactive threat detection" + }, + "related": [], + "uuid": "f2689dfc-83ff-53c6-b074-ce507824799a", + "value": "AWS RE:Inforce Threat Detection 2024" + }, { "description": "Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.", "meta": { @@ -38791,6 +41232,21 @@ "uuid": "8956f0e5-d07f-4063-bf60-f8b964d03e6d", "value": "Unit 42 Cobalt Gang Oct 2018" }, + { + "description": "Yehuda Gelb. (2024, April 10). New Technique to Trick Developers Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "date_published": "2024-04-10T00:00:00Z", + "refs": [ + "https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/" + ], + "source": "MITRE", + "title": "New Technique to Trick Developers Detected in an Open Source Supply Chain Attack" + }, + "related": [], + "uuid": "ef9376d8-4792-5883-bb0f-00fe7e34b049", + "value": "Checkmarx-oss-seo" + }, { "description": "Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.", "meta": { @@ -38896,21 +41352,6 @@ "uuid": "bc7755a0-5ee3-477b-b8d7-67174a59d0e2", "value": "Avira Mustang Panda January 2020" }, - { - "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.", - "meta": { - "date_accessed": "2018-11-15T00:00:00Z", - "date_published": "2016-05-24T00:00:00Z", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" - ], - "source": "MITRE", - "title": "New Wekby Attacks Use DNS Requests As Command and Control Mechanism" - }, - "related": [], - "uuid": "6f08aa4e-c89f-4d3e-8f46-e856e21d2d50", - "value": "PaloAlto DNS Requests May 2016" - }, { "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.", "meta": { @@ -38926,6 +41367,21 @@ "uuid": "4a946c3f-ee0a-4649-8104-2bd9d90ebd49", "value": "Palo Alto DNS Requests" }, + { + "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.", + "meta": { + "date_accessed": "2018-11-15T00:00:00Z", + "date_published": "2016-05-24T00:00:00Z", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" + ], + "source": "MITRE", + "title": "New Wekby Attacks Use DNS Requests As Command and Control Mechanism" + }, + "related": [], + "uuid": "6f08aa4e-c89f-4d3e-8f46-e856e21d2d50", + "value": "PaloAlto DNS Requests May 2016" + }, { "description": "Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.", "meta": { @@ -38957,12 +41413,12 @@ "value": "FireEye Clandestine Fox" }, { - "description": "Carr, N.. (2018, October 25). Nick Carr Status Update. Retrieved April 22, 2019.", + "description": "Carr, N.. (2018, October 25). Nick Carr Status Update. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2019-04-22T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2018-10-25T00:00:00Z", "refs": [ - "https://twitter.com/ItsReallyNick/status/1055321868641689600" + "https://x.com/ItsReallyNick/status/1055321868641689600" ], "source": "MITRE", "title": "Nick Carr Status Update" @@ -38972,12 +41428,12 @@ "value": "Twitter ItsReallyNick Platinum Masquerade" }, { - "description": "Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved April 22, 2019.", + "description": "Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2019-04-22T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-12-26T00:00:00Z", "refs": [ - "https://twitter.com/ItsReallyNick/status/945681177108762624" + "https://x.com/ItsReallyNick/status/945681177108762624" ], "source": "MITRE", "title": "Nick Carr Status Update APT32 pubprn" @@ -38987,12 +41443,12 @@ "value": "Twitter ItsReallyNick APT32 pubprn Masquerade" }, { - "description": "Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved June 23, 2020.", + "description": "Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2020-06-23T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2019-10-30T00:00:00Z", "refs": [ - "https://twitter.com/ItsReallyNick/status/1189622925286084609" + "https://x.com/ItsReallyNick/status/1189622925286084609" ], "source": "MITRE", "title": "Nick Carr Status Update APT41 Environmental Keying" @@ -39002,12 +41458,12 @@ "value": "Twitter ItsReallyNick APT41 EK" }, { - "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.", + "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2019-04-22T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2018-10-25T00:00:00Z", "refs": [ - "https://twitter.com/ItsReallyNick/status/1055321652777619457" + "https://x.com/ItsReallyNick/status/1055321652777619457" ], "source": "MITRE", "title": "Nick Carr Status Update Masquerading" @@ -39120,6 +41576,22 @@ "uuid": "94b5ac75-1fd5-4cad-a604-2b09846eb975", "value": "Netskope Nitol" }, + { + "description": "The DFIR Report. (2024, September 30). Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware. Retrieved September 30, 2024.", + "meta": { + "date_accessed": "2024-09-30T00:00:00Z", + "date_published": "2024-09-30T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/" + ], + "source": "Tidal Cyber", + "title": "Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware" + }, + "related": [], + "uuid": "b2ee9f5e-ed34-4141-9740-8f6e37ba4f28", + "value": "The DFIR Report September 30 2024" + }, { "description": "Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019.", "meta": { @@ -39164,21 +41636,6 @@ "uuid": "65f1bbaa-8ad1-4ad5-b726-660558d27efc", "value": "Nmap: the Network Mapper" }, - { - "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.", - "meta": { - "date_accessed": "2022-01-31T00:00:00Z", - "date_published": "2021-10-25T00:00:00Z", - "refs": [ - "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks" - ], - "source": "MITRE", - "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" - }, - "related": [], - "uuid": "aa315293-77a5-4ad9-b024-9af844edff9a", - "value": "Microsoft Nobelium Admin Privileges" - }, { "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.", "meta": { @@ -39194,6 +41651,21 @@ "uuid": "7b6cc308-9871-47e5-9039-a9a7e66ce373", "value": "MSTIC Nobelium Oct 2021" }, + { + "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.", + "meta": { + "date_accessed": "2022-01-31T00:00:00Z", + "date_published": "2021-10-25T00:00:00Z", + "refs": [ + "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks" + ], + "source": "MITRE", + "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" + }, + "related": [], + "uuid": "aa315293-77a5-4ad9-b024-9af844edff9a", + "value": "Microsoft Nobelium Admin Privileges" + }, { "description": "Symantec Threat Hunter Team. (2022, September 22). Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics. Retrieved September 14, 2023.", "meta": { @@ -39496,6 +41968,22 @@ "uuid": "bff1667b-3f87-4653-bd17-b675e997baf1", "value": "Volexity InkySquid RokRAT August 2021" }, + { + "description": "Microsoft Threat Intelligence; Microsoft Security Response Center. (2024, August 30). North Korean threat actor Citrine Sleet exploiting Chromium zero-day . Retrieved September 1, 2024.", + "meta": { + "date_accessed": "2024-09-01T00:00:00Z", + "date_published": "2024-08-30T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/" + ], + "source": "Tidal Cyber", + "title": "North Korean threat actor Citrine Sleet exploiting Chromium zero-day" + }, + "related": [], + "uuid": "d7ef2e80-30c0-47ce-91d4-db1690c6c689", + "value": "Microsoft Security Blog August 30 2024" + }, { "description": "Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.", "meta": { @@ -39526,6 +42014,21 @@ "uuid": "72d4b682-ed19-4e0f-aeff-faa52b3a0439", "value": "Github NoRunDll" }, + { + "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", + "meta": { + "date_accessed": "2023-06-30T00:00:00Z", + "date_published": "2022-12-02T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" + ], + "source": "MITRE", + "title": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies" + }, + "related": [], + "uuid": "382785e1-4ef3-506e-b74f-cd07df9ae46e", + "value": "Crowdstrike TELCO BPO Campaign December 2022" + }, { "description": "Tim Parisi. (2022, December 22). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved September 14, 2023.", "meta": { @@ -39542,21 +42045,6 @@ "uuid": "e48760ba-2752-4d30-8f99-152c81f63017", "value": "CrowdStrike Scattered Spider SIM Swapping December 22 2022" }, - { - "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", - "meta": { - "date_accessed": "2023-06-30T00:00:00Z", - "date_published": "2022-12-02T00:00:00Z", - "refs": [ - "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" - ], - "source": "MITRE", - "title": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies" - }, - "related": [], - "uuid": "382785e1-4ef3-506e-b74f-cd07df9ae46e", - "value": "Crowdstrike TELCO BPO Campaign December 2022" - }, { "description": "Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020.", "meta": { @@ -39677,6 +42165,20 @@ "uuid": "306f7da7-caa2-40bf-a3db-e579c541eeb4", "value": "NT API Windows" }, + { + "description": "Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.", + "meta": { + "date_accessed": "2024-06-19T00:00:00Z", + "refs": [ + "https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe" + ], + "source": "MITRE", + "title": "No Win32 Process Needed | Expanding the WMI Lateral Movement Arsenal" + }, + "related": [], + "uuid": "650cdde6-e0b5-5cb4-9dc4-7a2528c9e49b", + "value": "Malicious Life by Cybereason" + }, { "description": "Rahman, Alyssa. (2021, December 13). Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits. Retrieved November 28, 2023.", "meta": { @@ -39799,6 +42301,21 @@ "uuid": "7b533ca9-9075-408d-b125-89bc7446ec8f", "value": "NtQueryInformationProcess" }, + { + "description": "Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2024-07-16T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/" + ], + "source": "MITRE", + "title": "NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI" + }, + "related": [], + "uuid": "7cbf93a8-0d1b-5c49-851b-5bc2bc3ffb2c", + "value": "Sentinel Labs NullBulge 2024" + }, { "description": "Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023.", "meta": { @@ -39917,6 +42434,20 @@ "uuid": "26b757c8-25cd-42ef-bef2-eb7a28455d57", "value": "objective-see 2017 review" }, + { + "description": "Google Cloud. (n.d.). Object Lifecycle Management. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "refs": [ + "https://cloud.google.com/storage/docs/lifecycle" + ], + "source": "MITRE", + "title": "Object Lifecycle Management" + }, + "related": [], + "uuid": "32c16ce6-ccb6-5a60-975c-39d165dfc0a2", + "value": "GCP Storage Lifecycles" + }, { "description": "Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.", "meta": { @@ -40610,6 +43141,20 @@ "uuid": "d4c2bac0-e95c-46af-ae52-c93de3d92f19", "value": "Unit 42 OopsIE! Feb 2018" }, + { + "description": "Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "refs": [ + "https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots" + ], + "source": "MITRE", + "title": "Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots" + }, + "related": [], + "uuid": "8c1d75b3-2ea9-5390-aefb-88f50730b2a0", + "value": "Mitiga" + }, { "description": "Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.", "meta": { @@ -40769,7 +43314,7 @@ "date_accessed": "2016-03-16T00:00:00Z", "date_published": "2016-02-24T00:00:00Z", "refs": [ - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" + "https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" ], "source": "MITRE", "title": "Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report" @@ -40784,7 +43329,7 @@ "date_accessed": "2016-03-10T00:00:00Z", "date_published": "2016-02-24T00:00:00Z", "refs": [ - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" + "https://web.archive.org/web/20220425194457/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" ], "source": "MITRE", "title": "Operation Blockbuster: Tools Report" @@ -41064,9 +43609,9 @@ "value": "ESET Dukes October 2019" }, { - "description": "IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021.", + "description": "IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2021-09-29T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-05-01T00:00:00Z", "refs": [ "http://www.issuemakerslab.com/research3/" @@ -41154,21 +43699,6 @@ "uuid": "4035e871-9291-4d7f-9c5f-d8482d4dc8a7", "value": "AhnLab Kimsuky Kabar Cobra Feb 2019" }, - { - "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", - "meta": { - "date_accessed": "2014-11-12T00:00:00Z", - "date_published": "2014-01-01T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" - ], - "source": "MITRE, Tidal Cyber", - "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs" - }, - "related": [], - "uuid": "bb45cf96-ceae-4f46-a0f5-08cd89f699c9", - "value": "Mandiant Operation Ke3chang November 2014" - }, { "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", "meta": { @@ -41184,6 +43714,21 @@ "uuid": "31504d92-6c4d-43f0-8548-ccc3aa05ba48", "value": "Villeneuve et al 2014" }, + { + "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", + "meta": { + "date_accessed": "2014-11-12T00:00:00Z", + "date_published": "2014-01-01T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" + ], + "source": "MITRE, Tidal Cyber", + "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs" + }, + "related": [], + "uuid": "bb45cf96-ceae-4f46-a0f5-08cd89f699c9", + "value": "Mandiant Operation Ke3chang November 2014" + }, { "description": "Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.", "meta": { @@ -41602,6 +44147,21 @@ "uuid": "061d8f74-a202-4089-acae-687e4f96933b", "value": "Symantec WastedLocker June 2020" }, + { + "description": "Microsoft Azure. (2024, May 31). Organize your Azure resources effectively. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2024-05-31T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources" + ], + "source": "MITRE", + "title": "Organize your Azure resources effectively" + }, + "related": [], + "uuid": "3d2f4092-5173-5f40-8b5f-c1cb886a2e6e", + "value": "Microsoft Azure Resources" + }, { "description": "Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.", "meta": { @@ -41799,12 +44359,12 @@ "value": "Outlook Today Home Page" }, { - "description": "Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.", + "description": "Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.", "meta": { - "date_accessed": "2020-10-16T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", "date_published": "2019-06-20T00:00:00Z", "refs": [ - "https://www.recordedfuture.com/identifying-cobalt-strike-servers/" + "https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers" ], "source": "MITRE", "title": "Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers" @@ -41842,21 +44402,6 @@ "uuid": "55ee5bcc-ba56-58ac-9afb-2349aa75fe39", "value": "Kubernetes Cloud Native Security" }, - { - "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", - "meta": { - "date_accessed": "2021-03-24T00:00:00Z", - "date_published": "2012-07-23T00:00:00Z", - "refs": [ - "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" - ], - "source": "MITRE", - "title": "Overview of Dynamic Libraries" - }, - "related": [], - "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", - "value": "Apple Doco Archive Dynamic Libraries" - }, { "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.", "meta": { @@ -41872,6 +44417,21 @@ "uuid": "39ffd162-4052-57ec-bd20-2fe6b8e6beab", "value": "Apple Dev Dynamic Libraries" }, + { + "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", + "meta": { + "date_accessed": "2021-03-24T00:00:00Z", + "date_published": "2012-07-23T00:00:00Z", + "refs": [ + "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" + ], + "source": "MITRE", + "title": "Overview of Dynamic Libraries" + }, + "related": [], + "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", + "value": "Apple Doco Archive Dynamic Libraries" + }, { "description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.", "meta": { @@ -42093,21 +44653,6 @@ "uuid": "6bc5ad93-3cc2-4429-ac4c-aae72193df27", "value": "Man Pam_Unix" }, - { - "description": "Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.", - "meta": { - "date_accessed": "2017-07-13T00:00:00Z", - "date_published": "2017-06-27T00:00:00Z", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/" - ], - "source": "MITRE", - "title": "Paranoid PlugX" - }, - "related": [], - "uuid": "27f17e79-ef38-4c20-9250-40c81fa8717a", - "value": "Palo Alto PlugX June 2017" - }, { "description": "Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.", "meta": { @@ -42123,6 +44668,21 @@ "uuid": "9dc629a0-543c-4221-86cc-0dfb93903988", "value": "Unit42 PlugX June 2017" }, + { + "description": "Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.", + "meta": { + "date_accessed": "2017-07-13T00:00:00Z", + "date_published": "2017-06-27T00:00:00Z", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/" + ], + "source": "MITRE", + "title": "Paranoid PlugX" + }, + "related": [], + "uuid": "27f17e79-ef38-4c20-9250-40c81fa8717a", + "value": "Palo Alto PlugX June 2017" + }, { "description": "Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.", "meta": { @@ -42253,12 +44813,12 @@ "value": "ObjectiveSee AppleJeus 2019" }, { - "description": "Deply, B. (2014, January 13). Pass the ticket. Retrieved June 2, 2016.", + "description": "Deply, B. (2014, January 13). Pass the ticket. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2016-06-02T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2014-01-13T00:00:00Z", "refs": [ - "http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos" + "https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos" ], "source": "MITRE", "title": "Pass the ticket" @@ -42890,6 +45450,21 @@ "uuid": "533b8ae2-2fc3-4cf4-bcaa-5d8bfcba91c0", "value": "Prevailion EvilNum May 2020" }, + { + "description": "Graham Edgecombe. (2024, February 7). Phishception – SendGrid is abused to host phishing attacks impersonating itself. Retrieved October 15, 2024.", + "meta": { + "date_accessed": "2024-10-15T00:00:00Z", + "date_published": "2024-02-07T00:00:00Z", + "refs": [ + "https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/" + ], + "source": "MITRE", + "title": "Phishception – SendGrid is abused to host phishing attacks impersonating itself" + }, + "related": [], + "uuid": "584506e4-4ce2-5cbc-97ea-a4e68863395d", + "value": "Netcraft SendGrid 2024" + }, { "description": "Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.", "meta": { @@ -42966,11 +45541,12 @@ "value": "Enigma Phishing for Credentials Jan 2015" }, { - "description": "KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.", + "description": "KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.", "meta": { - "date_accessed": "2022-03-07T00:00:00Z", + "date_accessed": "2024-03-08T00:00:00Z", + "date_published": "2021-01-01T00:00:00Z", "refs": [ - "https://www.boho.or.kr/krcert/publicationView.do?bulletin_writing_sequence=35936" + "https://web.archive.org/web/20220328121326/https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf" ], "source": "MITRE", "title": "Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi" @@ -43083,6 +45659,21 @@ "uuid": "dc833e17-7105-5790-b30b-b4fed7fd2d2f", "value": "wired-pig butchering" }, + { + "description": "Swachchhanda Shrawan Poudel. (2024, February). Pikabot: 
 A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques. Retrieved July 12, 2024.", + "meta": { + "date_accessed": "2024-07-12T00:00:00Z", + "date_published": "2024-02-01T00:00:00Z", + "refs": [ + "https://www.logpoint.com/wp-content/uploads/2024/02/logpoint-etpr-pikabot.pdf" + ], + "source": "MITRE", + "title": "Pikabot: 
 A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques" + }, + "related": [], + "uuid": "5136cc70-ba63-551c-aa7f-ab4c57980a1c", + "value": "Logpoint Pikabot 2024" + }, { "description": "Jérôme Segura. (2023, December 15). PikaBot distributed via malicious search ads. Retrieved January 11, 2023.", "meta": { @@ -43099,6 +45690,21 @@ "uuid": "50b29ef4-7ade-4672-99b6-fdf367170a5b", "value": "Malwarebytes Pikabot December 15 2023" }, + { + "description": "Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.", + "meta": { + "date_accessed": "2024-07-12T00:00:00Z", + "date_published": "2024-02-23T00:00:00Z", + "refs": [ + "https://www.elastic.co/security-labs/pikabot-i-choose-you" + ], + "source": "MITRE", + "title": "PIKABOT, I choose you!" + }, + "related": [], + "uuid": "6c222f33-f588-513c-9149-4c2308e05319", + "value": "Elastic Pikabot 2024" + }, { "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.", "meta": { @@ -43235,22 +45841,6 @@ "uuid": "a78613a5-ce17-4d11-8f2f-3e642cd7673c", "value": "Symantec Play Ransomware April 19 2023" }, - { - "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved August 10, 2023.", - "meta": { - "date_accessed": "2023-08-10T00:00:00Z", - "date_published": "2022-09-06T00:00:00Z", - "owner": "TidalCyberIan", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html" - ], - "source": "Tidal Cyber", - "title": "Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa" - }, - "related": [], - "uuid": "2d2b527d-25b0-4b58-9ae6-c87060b64069", - "value": "Trend Micro Play Playbook September 06 2022" - }, { "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved September 21, 2023.", "meta": { @@ -43267,6 +45857,22 @@ "uuid": "ed02529c-920d-4a92-8e86-be1ed7083991", "value": "Trend Micro Play Ransomware September 06 2022" }, + { + "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved August 10, 2023.", + "meta": { + "date_accessed": "2023-08-10T00:00:00Z", + "date_published": "2022-09-06T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html" + ], + "source": "Tidal Cyber", + "title": "Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa" + }, + "related": [], + "uuid": "2d2b527d-25b0-4b58-9ae6-c87060b64069", + "value": "Trend Micro Play Playbook September 06 2022" + }, { "description": "Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.", "meta": { @@ -43372,6 +45978,21 @@ "uuid": "8a7a4a51-e16d-447e-8f1e-c02d6dae3e26", "value": "Kube Pod" }, + { + "description": "Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2020-10-06T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/poetrat-update/" + ], + "source": "MITRE", + "title": "PoetRAT: Malware targeting public and private sector in Azerbaijan evolves" + }, + "related": [], + "uuid": "83503473-54c5-555e-954c-12c4f4bbdde6", + "value": "PoetRat Lua" + }, { "description": "Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.", "meta": { @@ -43418,12 +46039,12 @@ "value": "Talos Zeus Panda Nov 2017" }, { - "description": "FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.", + "description": "FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.", "meta": { - "date_accessed": "2014-11-12T00:00:00Z", + "date_accessed": "2024-09-19T00:00:00Z", "date_published": "2014-01-01T00:00:00Z", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" + "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" ], "source": "MITRE", "title": "POISON IVY: Assessing Damage and Extracting Intelligence" @@ -43586,7 +46207,7 @@ "date_accessed": "2018-03-05T00:00:00Z", "date_published": "2014-08-20T00:00:00Z", "refs": [ - "https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/" + "https://www.stormshield.com/news/poweliks-command-line-confusion/" ], "source": "MITRE", "title": "Poweliks – Command Line Confusion" @@ -44545,12 +47166,12 @@ "value": "Password Protected Word Docs" }, { - "description": "Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.", + "description": "Haight, J. (2016, April 21). PS>Attack. Retrieved September 27, 2024.", "meta": { - "date_accessed": "2016-06-01T00:00:00Z", + "date_accessed": "2024-09-27T00:00:00Z", "date_published": "2016-04-21T00:00:00Z", "refs": [ - "https://github.com/jaredhaight/PSAttack" + "https://github.com/Exploit-install/PSAttack-1" ], "source": "MITRE", "title": "PS>Attack" @@ -44725,21 +47346,6 @@ "uuid": "069ef9af-3402-4b13-8c60-b397b0b0bfd7", "value": "PaloAlto EncodedCommand March 2017" }, - { - "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.", - "meta": { - "date_accessed": "2019-03-04T00:00:00Z", - "date_published": "2018-12-06T00:00:00Z", - "refs": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" - ], - "source": "MITRE", - "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" - }, - "related": [], - "uuid": "e843eb47-21b0-44b9-8065-02aea0a0b05f", - "value": "Anomali Linux Rabbit 2018" - }, { "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.", "meta": { @@ -44755,6 +47361,21 @@ "uuid": "ec413dc7-028c-4153-9e98-abe85961747f", "value": "anomali-linux-rabbit" }, + { + "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.", + "meta": { + "date_accessed": "2019-03-04T00:00:00Z", + "date_published": "2018-12-06T00:00:00Z", + "refs": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "source": "MITRE", + "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" + }, + "related": [], + "uuid": "e843eb47-21b0-44b9-8065-02aea0a0b05f", + "value": "Anomali Linux Rabbit 2018" + }, { "description": "CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.", "meta": { @@ -44996,6 +47617,36 @@ "uuid": "1baeac94-9168-4813-ab72-72e609250745", "value": "Cyberint Qakbot May 2021" }, + { + "description": "Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved June 7, 2024.", + "meta": { + "date_accessed": "2024-06-07T00:00:00Z", + "date_published": "2023-03-07T00:00:00Z", + "refs": [ + "https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/" + ], + "source": "MITRE", + "title": "Qakbot Evolves to OneNote Malware Distribution" + }, + "related": [], + "uuid": "0ffc4317-c88a-5c9b-9c13-cb8b2a8b65e6", + "value": "Trellix-Qakbot" + }, + { + "description": "Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved August 1, 2024.", + "meta": { + "date_accessed": "2024-08-01T00:00:00Z", + "date_published": "2023-03-07T00:00:00Z", + "refs": [ + "https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/" + ], + "source": "MITRE", + "title": "Qakbot Evolves to OneNote Malware Distribution" + }, + "related": [], + "uuid": "c07a87bd-be9d-5bd9-b59a-d89f0e835886", + "value": "TrellixQakbot" + }, { "description": "Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.", "meta": { @@ -45086,6 +47737,21 @@ "uuid": "58df8729-ab42-55ee-a27d-655644bdeb0d", "value": "qr-phish-agriculture" }, + { + "description": "DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.", + "meta": { + "date_accessed": "2024-07-26T00:00:00Z", + "date_published": "2022-04-25T00:00:00Z", + "refs": [ + "https://thedfirreport.com/2022/04/25/quantum-ransomware/" + ], + "source": "MITRE", + "title": "Quantum Ransomware" + }, + "related": [], + "uuid": "7dffba82-5b07-5d93-86dd-d97a1ea865e7", + "value": "DFIR_Quantum_Ransomware" + }, { "description": "The DFIR Report. (2022, April 25). Quantum Ransomware. Retrieved June 28, 2024.", "meta": { @@ -45117,6 +47783,22 @@ "uuid": "7cce88cc-fbfb-43e1-a330-ac55bce9e394", "value": "TheEclecticLightCompany Quarantine and the flag" }, + { + "description": "Esentire Threat Response Unit. (2024, July 31). Quartet of Trouble XWorm, AsyncRAT, VenomRAT, and PureLogs Stealer…. Retrieved August 6, 2024.", + "meta": { + "date_accessed": "2024-08-06T00:00:00Z", + "date_published": "2024-07-31T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.esentire.com/blog/quartet-of-trouble-xworm-asyncrat-venomrat-and-purelogs-stealer-leverage-trycloudflare" + ], + "source": "Tidal Cyber", + "title": "Quartet of Trouble XWorm, AsyncRAT, VenomRAT, and PureLogs Stealer…" + }, + "related": [], + "uuid": "18185ffd-8a66-4531-86de-4ba4dd9f675b", + "value": "Esentire July 31 2024" + }, { "description": "MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.", "meta": { @@ -45237,6 +47919,36 @@ "uuid": "a94268d8-6b7c-574b-a588-d8fd80c27fd3", "value": "Costa AvosLocker May 2022" }, + { + "description": "S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.", + "meta": { + "date_accessed": "2024-08-01T00:00:00Z", + "date_published": "2022-06-16T00:00:00Z", + "refs": [ + "https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" + ], + "source": "MITRE", + "title": "Raccoon Stealer is Back with a New Version" + }, + "related": [], + "uuid": "b53a4c5f-ef68-50a7-ae2d-192b3ace860c", + "value": "S2W Racoon 2022" + }, + { + "description": "Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.", + "meta": { + "date_accessed": "2024-08-01T00:00:00Z", + "date_published": "2022-06-28T00:00:00Z", + "refs": [ + "https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/" + ], + "source": "MITRE", + "title": "Raccoon Stealer v2 - Part 1: The return of the dead" + }, + "related": [], + "uuid": "645bc346-747b-5b9b-984b-fa1057cf8eb1", + "value": "Sekoia Raccoon1 2022" + }, { "description": "Quentin Bourgue, Pierre Le Bourhis, Threat & Detection Research Team - TDR. (2022, June 28). Raccoon Stealer v2 – Part 1: The return of the dead. Retrieved November 16, 2023.", "meta": { @@ -45253,6 +47965,21 @@ "uuid": "df0c9cbd-8692-497e-9f81-cf9e44a3a5cd", "value": "Sekoia.io Raccoon Stealer June 28 2022" }, + { + "description": "Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.", + "meta": { + "date_accessed": "2024-08-01T00:00:00Z", + "date_published": "2022-06-29T00:00:00Z", + "refs": [ + "https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" + ], + "source": "MITRE", + "title": "Raccoon Stealer v2 - Part 2: In-depth analysis" + }, + "related": [], + "uuid": "5d4cd7c6-62c1-5e0e-beda-a0575e7f1af5", + "value": "Sekoia Raccoon2 2022" + }, { "description": "DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.", "meta": { @@ -45282,6 +48009,21 @@ "uuid": "04ed6dc0-45c2-4e36-8ec7-a75f6f715f0a", "value": "Sophos Ragnar May 2020" }, + { + "description": "Joe Uchill. (2021, December 3). Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2021-12-03T00:00:00Z", + "refs": [ + "https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms" + ], + "source": "MITRE", + "title": "Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms" + }, + "related": [], + "uuid": "69dca68b-f864-509a-ad1b-3c6fea0152f8", + "value": "SC Magazine Ragnar Locker 2021" + }, { "description": "Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.", "meta": { @@ -45387,6 +48129,20 @@ "uuid": "54e296c9-edcc-5af7-99be-b118da29711f", "value": "FBI-ransomware" }, + { + "description": "SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/anthology/inc-ransom/" + ], + "source": "MITRE", + "title": "Ransomware?" + }, + "related": [], + "uuid": "5f82878b-2258-5663-8694-efc3179c1849", + "value": "SentinelOne INC Ransomware" + }, { "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", "meta": { @@ -45525,6 +48281,21 @@ "uuid": "21d393ae-d135-4c5a-8c6d-1baa8c0a1e08", "value": "Rapid7 Blog September 12 2024" }, + { + "description": "Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2024-01-11T00:00:00Z", + "refs": [ + "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + ], + "source": "MITRE", + "title": "Ransomware in the cloud" + }, + "related": [], + "uuid": "2ff4aed1-88a0-5e19-8fe9-1ecf4604f245", + "value": "Invictus IR Cloud Ransomware 2024" + }, { "description": "Www.invictus-ir.com. (2024, January 11). Ransomware in the cloud. Retrieved April 17, 2024.", "meta": { @@ -45541,6 +48312,21 @@ "uuid": "5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9", "value": "Www.invictus-ir.com 1 11 2024" }, + { + "description": "Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2023-11-29T00:00:00Z", + "refs": [ + "https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/" + ], + "source": "MITRE", + "title": "Ransomware in the Cloud: Breaking Down the Attack Vectors" + }, + "related": [], + "uuid": "d23216df-be77-59a0-9910-ab9bf54da6d7", + "value": "Palo Alto Cloud Ransomware" + }, { "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.", "meta": { @@ -45682,6 +48468,37 @@ "uuid": "6cf9c6f0-7818-45dd-9afc-f69e394c23e4", "value": "Trend Micro Play Spotlight July 21 2023" }, + { + "description": "Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "date_published": "2023-07-21T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" + ], + "source": "MITRE", + "title": "Ransomware Spotlight: Play" + }, + "related": [], + "uuid": "399eac4c-5638-595c-9ee6-997dcd2d47c3", + "value": "Trend Micro Ransomware Spotlight Play July 2023" + }, + { + "description": "Trend Micro Research. (2023, March 15). Ransomware Spotlight: Royal. Retrieved October 11, 2024.", + "meta": { + "date_accessed": "2024-10-11T00:00:00Z", + "date_published": "2023-03-15T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-royal" + ], + "source": "Tidal Cyber", + "title": "Ransomware Spotlight: Royal" + }, + "related": [], + "uuid": "0914ce86-86f2-4f17-af37-a0d4ca9ff615", + "value": "Trend Micro Royal Ransomware March 15 2023" + }, { "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.", "meta": { @@ -45712,6 +48529,21 @@ "uuid": "62037959-58e4-475a-bb91-ff360d20c1d7", "value": "GitHub ransomwatch" }, + { + "description": "Microsoft Security Intelligence. (2022, August 27). Ransom:Win32/PlayCrypt.PA. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "date_published": "2022-08-27T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/PlayCrypt.PA&ThreatID=2147830341" + ], + "source": "MITRE", + "title": "Ransom:Win32/PlayCrypt.PA" + }, + "related": [], + "uuid": "af4a38bc-32d5-5eab-a13a-0f3533beedb1", + "value": "Microsoft PlayCrypt August 2022" + }, { "description": "mkz. (2020). rarfile 3.1. Retrieved February 20, 2020.", "meta": { @@ -45773,6 +48605,21 @@ "uuid": "dc299f7a-403b-4a22-9386-0be3e160d185", "value": "Rasautou.exe - LOLBAS Project" }, + { + "description": "Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.", + "meta": { + "date_accessed": "2024-05-17T00:00:00Z", + "date_published": "2022-05-05T00:00:00Z", + "refs": [ + "https://redcanary.com/blog/threat-intelligence/raspberry-robin/" + ], + "source": "MITRE", + "title": "Raspberry Robin gets the worm early" + }, + "related": [], + "uuid": "ca6aa417-3da7-5173-818c-c539983033b5", + "value": "RedCanary RaspberryRobin 2022" + }, { "description": "Lauren Podber, Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 19, 2023.", "meta": { @@ -45789,6 +48636,51 @@ "uuid": "fb04d89a-3f39-48be-b986-9c4eac4dd8a4", "value": "Red Canary Raspberry Robin May 2022" }, + { + "description": "Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.", + "meta": { + "date_accessed": "2024-05-17T00:00:00Z", + "date_published": "2022-12-20T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html" + ], + "source": "MITRE", + "title": "Raspberry Robin Malware Targets Telecom, Governments" + }, + "related": [], + "uuid": "b454f50a-57fe-56f2-a8c0-ae1ab65fa945", + "value": "TrendMicro RaspberryRobin 2022" + }, + { + "description": "Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.", + "meta": { + "date_accessed": "2024-05-17T00:00:00Z", + "date_published": "2024-04-10T00:00:00Z", + "refs": [ + "https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/" + ], + "source": "MITRE", + "title": "Raspberry Robin Now Spreading Through Windows Script Files" + }, + "related": [], + "uuid": "f01c041a-f8f5-51de-ab2f-1f513bf6d38c", + "value": "HP RaspberryRobin 2024" + }, + { + "description": "Jan Vojtěšek. (2022, September 22). Raspberry Robin’s Roshtyak: A Little Lesson in Trickery. Retrieved May 17, 2024.", + "meta": { + "date_accessed": "2024-05-17T00:00:00Z", + "date_published": "2022-09-22T00:00:00Z", + "refs": [ + "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/" + ], + "source": "MITRE", + "title": "Raspberry Robin’s Roshtyak: A Little Lesson in Trickery" + }, + "related": [], + "uuid": "3ebeefee-42cd-5130-8d6b-d0520d8bb8c2", + "value": "Avast RaspberryRobin 2022" + }, { "description": "Microsoft Threat Intelligence. (2022, October 27). Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity. Retrieved May 19, 2023.", "meta": { @@ -45805,6 +48697,21 @@ "uuid": "8017e42a-8373-4d24-8d89-638a925b704b", "value": "Microsoft Security Raspberry Robin October 2022" }, + { + "description": "Microsoft Threat Intelligence. (2022, October 27). Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity. Retrieved May 17, 2024.", + "meta": { + "date_accessed": "2024-05-17T00:00:00Z", + "date_published": "2022-10-27T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "source": "MITRE", + "title": "Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity" + }, + "related": [], + "uuid": "fe2dd68c-6e25-5fae-bc57-3a072ecf4f72", + "value": "Microsoft RaspberryRobin 2022" + }, { "description": "Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.", "meta": { @@ -46032,6 +48939,21 @@ "uuid": "bd8c6a86-1a63-49cd-a97f-3d119e4223d4", "value": "Microsoft DART Case Report 001" }, + { + "description": "Scarred Monk. (2022, May 6). Real-time detection scenarios in Active Directory environments. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2022-05-06T00:00:00Z", + "refs": [ + "https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios" + ], + "source": "MITRE", + "title": "Real-time detection scenarios in Active Directory environments" + }, + "related": [], + "uuid": "54dd37f8-b32a-5100-9197-4802ba9201d7", + "value": "RootDSE AD Detection 2022" + }, { "description": "Siles, R. (2003, August). Real World ARP Spoofing. Retrieved October 15, 2020.", "meta": { @@ -46122,12 +49044,12 @@ "value": "Free Desktop Entry Keys" }, { - "description": "Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved June 18, 2017.", + "description": "Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved September 16, 2024.", "meta": { - "date_accessed": "2017-06-18T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", "date_published": "2017-05-17T00:00:00Z", "refs": [ - "https://www.recordedfuture.com/chinese-mss-behind-apt3/" + "https://www.recordedfuture.com/research/chinese-mss-behind-apt3" ], "source": "MITRE", "title": "Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3" @@ -46166,6 +49088,51 @@ "uuid": "70fa26e4-109c-5a48-b9fd-ac8b9acf2cf3", "value": "Red Canary SocGholish March 2024" }, + { + "description": "Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on 'major Russian bank,' Australian company. Retrieved August 9, 2024.", + "meta": { + "date_accessed": "2024-08-09T00:00:00Z", + "date_published": "2023-07-17T00:00:00Z", + "refs": [ + "https://therecord.media/redcurl-hackers-russian-bank-australian-company" + ], + "source": "MITRE", + "title": "RedCurl hackers return to spy on 'major Russian bank,' Australian company" + }, + "related": [], + "uuid": "c9561395-08eb-5e37-b9ba-154e08e2e1ab", + "value": "therecord_redcurl" + }, + { + "description": "Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.", + "meta": { + "date_accessed": "2024-08-14T00:00:00Z", + "date_published": "2021-11-01T00:00:00Z", + "refs": [ + "https://www.group-ib.com/resources/research-hub/red-curl-2/" + ], + "source": "MITRE", + "title": "RedCurl: The Awakening" + }, + "related": [], + "uuid": "1fc20d89-def2-5a1e-8e58-37383a019132", + "value": "group-ib_redcurl2" + }, + { + "description": "Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.", + "meta": { + "date_accessed": "2024-08-09T00:00:00Z", + "date_published": "2020-08-01T00:00:00Z", + "refs": [ + "https://www.group-ib.com/resources/research-hub/red-curl/" + ], + "source": "MITRE", + "title": "RedCurl: The Pentest You Didn’t Know About" + }, + "related": [], + "uuid": "e9200100-cc58-5c30-b837-e6e73bfe2cbb", + "value": "group-ib_redcurl1" + }, { "description": "Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.", "meta": { @@ -46498,20 +49465,6 @@ "uuid": "f58ac1e4-c470-4aac-a077-7f358e25b0fa", "value": "Microsoft Registry Auditing Aug 2016" }, - { - "description": "Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved March 16, 2017.", - "meta": { - "date_accessed": "2017-03-16T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx" - ], - "source": "MITRE", - "title": "Registry Key Security and Access Rights" - }, - "related": [], - "uuid": "c5627d86-1b59-4c2a-aac0-88f1b4dc6974", - "value": "MSDN Registry Key Security" - }, { "description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.", "meta": { @@ -46527,6 +49480,20 @@ "uuid": "f8f12cbb-029c-48b1-87ce-624a7f98c8ab", "value": "Registry Key Security" }, + { + "description": "Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved March 16, 2017.", + "meta": { + "date_accessed": "2017-03-16T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx" + ], + "source": "MITRE", + "title": "Registry Key Security and Access Rights" + }, + "related": [], + "uuid": "c5627d86-1b59-4c2a-aac0-88f1b4dc6974", + "value": "MSDN Registry Key Security" + }, { "description": "Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023.", "meta": { @@ -46628,21 +49595,6 @@ "uuid": "4054604b-7c0f-5012-b40c-2b117f6b54c2", "value": "Mandiant Remediation and Hardening Strategies for Microsoft 365" }, - { - "description": "Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.", - "meta": { - "date_accessed": "2021-09-25T00:00:00Z", - "date_published": "2021-01-19T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html" - ], - "source": "MITRE", - "title": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" - }, - "related": [], - "uuid": "7aa5c294-df8e-4994-9b9e-69444d75ef37", - "value": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" - }, { "description": "Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.", "meta": { @@ -46658,6 +49610,21 @@ "uuid": "ed031297-d0f5-44a7-9723-ba692e923a6e", "value": "Mandiant Defend UNC2452 White Paper" }, + { + "description": "Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.", + "meta": { + "date_accessed": "2021-09-25T00:00:00Z", + "date_published": "2021-01-19T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html" + ], + "source": "MITRE", + "title": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" + }, + "related": [], + "uuid": "7aa5c294-df8e-4994-9b9e-69444d75ef37", + "value": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" + }, { "description": "Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.", "meta": { @@ -47269,6 +50236,22 @@ "uuid": "e03e9d19-18bb-4d28-8c96-8c1cef89a20b", "value": "FireEye Revoke-Obfuscation July 2017" }, + { + "description": "Insikt Group. (2024, September 26). Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0. Retrieved October 14, 2024.", + "meta": { + "date_accessed": "2024-10-14T00:00:00Z", + "date_published": "2024-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://go.recordedfuture.com/hubfs/reports/mtp-2024-0926.pdf" + ], + "source": "Tidal Cyber", + "title": "Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0" + }, + "related": [], + "uuid": "5e668cd3-5a5d-4b40-9d4b-6108489a9a91", + "value": "Recorded Future Rhadamanthys September 26 2024" + }, { "description": "Health Sector Cybersecurity Coordination Center (HC3). (2023, August 4). Rhysida Ransomware. Retrieved August 11, 2023.", "meta": { @@ -47361,6 +50344,21 @@ "uuid": "0c365c3f-3aa7-4c63-b96e-7716b95db049", "value": "US-CERT Alert TA13-175A Risks of Default Passwords on the Internet" }, + { + "description": "Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.", + "meta": { + "date_accessed": "2024-08-06T00:00:00Z", + "date_published": "2022-08-04T00:00:00Z", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" + ], + "source": "MITRE", + "title": "ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations" + }, + "related": [], + "uuid": "0d81ec58-2e12-5824-aa53-feb0d2260f30", + "value": "Mandiant ROADSWEEP August 2022" + }, { "description": "Dirk-jan Mollema. (2022, January 31). ROADtools. Retrieved January 31, 2022.", "meta": { @@ -47377,12 +50375,12 @@ "value": "ROADtools Github" }, { - "description": "HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August 24, 2020.", + "description": "HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September 23, 2024.", "meta": { - "date_accessed": "2020-08-24T00:00:00Z", + "date_accessed": "2024-09-23T00:00:00Z", "date_published": "2017-01-17T00:00:00Z", "refs": [ - "http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/" + "https://blog.harmj0y.net/activedirectory/roasting-as-reps/" ], "source": "MITRE", "title": "Roasting AS-REPs" @@ -47391,6 +50389,21 @@ "uuid": "bfb01fbf-4dc0-4943-8a21-457f28f4b01f", "value": "Harmj0y Roasting AS-REPs Jan 2017" }, + { + "description": "Darren Pauli. (2015, May 19). Robots.txt tells hackers the places you don't want them to look. Retrieved July 18, 2024.", + "meta": { + "date_accessed": "2024-07-18T00:00:00Z", + "date_published": "2015-05-19T00:00:00Z", + "refs": [ + "https://www.theregister.com/2015/05/19/robotstxt/" + ], + "source": "MITRE", + "title": "Robots.txt tells hackers the places you don't want them to look" + }, + "related": [], + "uuid": "0027a941-bc2d-54e3-9adf-85333d68b244", + "value": "Register Robots TXT 2015" + }, { "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.", "meta": { @@ -47598,6 +50611,21 @@ "uuid": "0e483ec8-af40-4139-9711-53b999e069ee", "value": "TechNet Route" }, + { + "description": "Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.", + "meta": { + "date_accessed": "2024-06-10T00:00:00Z", + "date_published": "2023-12-13T00:00:00Z", + "refs": [ + "https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/" + ], + "source": "MITRE", + "title": "Routers Roasting On An Open Firewall: The KV-Botnet Investigation" + }, + "related": [], + "uuid": "81bbc4e1-e1e6-5c93-bf65-ffdc9c7ff71d", + "value": "Lumen KVBotnet 2023" + }, { "description": "Health Sector Cybersecurity Coordination Center (HC3). (2023, January 12). Royal & BlackCat Ransomware: The Threat to the Health Sector. Retrieved March 7, 2024.", "meta": { @@ -47614,6 +50642,21 @@ "uuid": "d1d6b6fe-ef93-4417-844b-7cd8dc76934b", "value": "U.S. HHS Royal & BlackCat Alert" }, + { + "description": "Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.", + "meta": { + "date_accessed": "2023-03-30T00:00:00Z", + "date_published": "2023-02-13T00:00:00Z", + "refs": [ + "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" + ], + "source": "MITRE", + "title": "Royal Ransomware Deep Dive" + }, + "related": [], + "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745", + "value": "Kroll Royal Deep Dive February 2023" + }, { "description": "Laurie Iacono, Keith Wojcieszek, George Glass. (2023, February 13). Royal Ransomware Deep Dive. Retrieved June 17, 2024.", "meta": { @@ -47630,21 +50673,6 @@ "uuid": "de385ede-f928-4a1e-934c-8ce7a6e7f33b", "value": "Kroll Royal Ransomware February 13 2023" }, - { - "description": "Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.", - "meta": { - "date_accessed": "2023-03-30T00:00:00Z", - "date_published": "2023-02-13T00:00:00Z", - "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" - ], - "source": "MITRE", - "title": "Royal Ransomware Deep Dive" - }, - "related": [], - "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745", - "value": "Kroll Royal Deep Dive February 2023" - }, { "description": "Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.", "meta": { @@ -47811,11 +50839,11 @@ "value": "Microsoft Cloud App Security" }, { - "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.", + "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2014-11-12T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "refs": [ - "http://msdn.microsoft.com/en-us/library/aa376977" + "https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys" ], "source": "MITRE", "title": "Run and RunOnce Registry Keys" @@ -47869,12 +50897,12 @@ "value": "Wikipedia Run Command" }, { - "description": "Prakash, T. (2017, June 21). Run commands on Windows system remotely using Winexe. Retrieved January 22, 2018.", + "description": "Prakash, T. (2017, June 21). Run commands on Windows system remotely using Winexe. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2018-01-22T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-06-21T00:00:00Z", "refs": [ - "http://www.secpod.com/blog/winexe/" + "https://web.archive.org/web/20211019012628/https://www.secpod.com/blog/winexe/" ], "source": "MITRE", "title": "Run commands on Windows system remotely using Winexe" @@ -48128,6 +51156,21 @@ "uuid": "3d53c154-8ced-4dbe-ab4e-db3bc15bfe4b", "value": "U.S. CISA Star Blizzard December 2023" }, + { + "description": "CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.", + "meta": { + "date_accessed": "2024-06-13T00:00:00Z", + "date_published": "2023-12-07T00:00:00Z", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a" + ], + "source": "MITRE", + "title": "Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns" + }, + "related": [], + "uuid": "96b26cfc-b31d-5226-879f-4888801ec268", + "value": "CISA Star Blizzard Advisory December 2023" + }, { "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", "meta": { @@ -48188,6 +51231,22 @@ "uuid": "ad2b0648-b657-4daa-9510-82375a252fc4", "value": "Russian 2FA Push Annoyance - Cimpanu" }, + { + "description": "James Pearson, Christopher Bing. (2023, January 6). Russian hackers targeted U.S. nuclear scientists. Retrieved October 1, 2024.", + "meta": { + "date_accessed": "2024-10-01T00:00:00Z", + "date_published": "2023-01-06T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.reuters.com/world/europe/russian-hackers-targeted-us-nuclear-scientists-2023-01-06/" + ], + "source": "Tidal Cyber", + "title": "Russian hackers targeted U.S. nuclear scientists" + }, + "related": [], + "uuid": "15bac539-2561-4f97-a9fb-4e081417215f", + "value": "Reuters Cold River January 6 2023" + }, { "description": "Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.", "meta": { @@ -48219,6 +51278,21 @@ "uuid": "9631a46d-3e0a-4f25-962b-0b2501c47926", "value": "U.S. CISA Unit 29155 September 5 2024" }, + { + "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.", + "meta": { + "date_accessed": "2022-05-31T00:00:00Z", + "date_published": "2022-03-15T00:00:00Z", + "refs": [ + "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" + ], + "source": "MITRE", + "title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability" + }, + "related": [], + "uuid": "00c6ff88-6eeb-486d-ae69-dffd5aebafe6", + "value": "Russians Exploit Default MFA Protocol - CISA March 2022" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.", "meta": { @@ -48235,19 +51309,19 @@ "value": "CISA MFA PrintNightmare" }, { - "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.", + "description": "CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022.", "meta": { - "date_accessed": "2022-05-31T00:00:00Z", - "date_published": "2022-03-15T00:00:00Z", + "date_accessed": "2022-02-14T00:00:00Z", + "date_published": "2018-04-20T00:00:00Z", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" + "https://www.cisa.gov/uscert/ncas/alerts/TA18-106A" ], "source": "MITRE", - "title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability" + "title": "Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices" }, "related": [], - "uuid": "00c6ff88-6eeb-486d-ae69-dffd5aebafe6", - "value": "Russians Exploit Default MFA Protocol - CISA March 2022" + "uuid": "26b520dc-5c68-40f4-82fb-366d27fc0c2f", + "value": "alert_TA18_106A" }, { "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", @@ -48265,19 +51339,35 @@ "value": "US-CERT TA18-106A Network Infrastructure Devices 2018" }, { - "description": "CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022.", + "description": "Wesley Shields. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved October 1, 2024.", "meta": { - "date_accessed": "2022-02-14T00:00:00Z", - "date_published": "2018-04-20T00:00:00Z", + "date_accessed": "2024-10-01T00:00:00Z", + "date_published": "2024-01-18T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/TA18-106A" + "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/" ], - "source": "MITRE", - "title": "Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices" + "source": "Tidal Cyber", + "title": "Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware" }, "related": [], - "uuid": "26b520dc-5c68-40f4-82fb-366d27fc0c2f", - "value": "alert_TA18_106A" + "uuid": "0b26c6f8-51ee-4419-9842-245c0e5e6f58", + "value": "Google TAG COLDRIVER January 18 2024" + }, + { + "description": "Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.", + "meta": { + "date_accessed": "2024-06-13T00:00:00Z", + "date_published": "2024-01-18T00:00:00Z", + "refs": [ + "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/" + ], + "source": "MITRE", + "title": "Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware" + }, + "related": [], + "uuid": "cff26ad8-b8dc-557d-9751-530f7ebfaa02", + "value": "Google TAG COLDRIVER January 2024" }, { "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", @@ -48324,6 +51414,21 @@ "uuid": "28c53a97-5500-5bfb-8aac-3c0bf94c2dfe", "value": "Wired Russia Cyberwar" }, + { + "description": "Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.", + "meta": { + "date_accessed": "2024-09-12T00:00:00Z", + "date_published": "2022-12-20T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/trident-ursa/" + ], + "source": "MITRE", + "title": "Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine" + }, + "related": [], + "uuid": "a8a32597-2b52-5f99-850d-f38d3f891713", + "value": "unit42_gamaredon_dec2022" + }, { "description": "RyanW3stman. (2023, October 10). RyanW3stman Tweet October 10 2023. Retrieved October 10, 2023.", "meta": { @@ -48561,6 +51666,21 @@ "uuid": "5135c600-b2a6-59e7-9023-8e293736f8de", "value": "NSA Sandworm 2020" }, + { + "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2023-11-09T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" + ], + "source": "MITRE", + "title": "Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology" + }, + "related": [], + "uuid": "7ad64744-2790-54e4-97cd-e412423f6ada", + "value": "Mandiant-Sandworm-Ukraine-2022" + }, { "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler McLellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved April 17, 2024.", "meta": { @@ -48577,21 +51697,6 @@ "uuid": "e35f005d-a3cd-4733-88ac-92bbf46e2c8a", "value": "Mandiant Sandworm November 9 2023" }, - { - "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", - "meta": { - "date_accessed": "2024-03-28T00:00:00Z", - "date_published": "2023-11-09T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" - ], - "source": "MITRE", - "title": "Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology" - }, - "related": [], - "uuid": "7ad64744-2790-54e4-97cd-e412423f6ada", - "value": "Mandiant-Sandworm-Ukraine-2022" - }, { "description": "ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.", "meta": { @@ -48803,6 +51908,20 @@ "uuid": "f84a5b6d-3af1-45b1-ac55-69ceced8735f", "value": "Scarlet Mimic Jan 2016" }, + { + "description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.", + "meta": { + "date_accessed": "2023-07-05T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/adversaries/scattered-spider/" + ], + "source": "MITRE", + "title": "Scattered Spider" + }, + "related": [], + "uuid": "a865a984-7f7b-5f82-ac4a-6fac79a2a753", + "value": "CrowdStrike Scattered Spider Profile" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, November 16). Scattered Spider. Retrieved November 16, 2023.", "meta": { @@ -48819,20 +51938,6 @@ "uuid": "9c242265-c28c-4580-8e6a-478d8700b092", "value": "U.S. CISA Scattered Spider November 16 2023" }, - { - "description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.", - "meta": { - "date_accessed": "2023-07-05T00:00:00Z", - "refs": [ - "https://www.crowdstrike.com/adversaries/scattered-spider/" - ], - "source": "MITRE", - "title": "Scattered Spider" - }, - "related": [], - "uuid": "a865a984-7f7b-5f82-ac4a-6fac79a2a753", - "value": "CrowdStrike Scattered Spider Profile" - }, { "description": "CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.", "meta": { @@ -49015,6 +52120,20 @@ "uuid": "805d16cc-8bd0-4f80-b0ac-c5b5df51427c", "value": "Scriptrunner.exe - LOLBAS Project" }, + { + "description": "SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.", + "meta": { + "date_accessed": "2024-07-08T00:00:00Z", + "refs": [ + "https://ss64.com/nt/scriptrunner.html" + ], + "source": "MITRE", + "title": "ScriptRunner.exe" + }, + "related": [], + "uuid": "e96e1486-ae8a-5fb3-bb8b-a9f0bf22b488", + "value": "SS64" + }, { "description": "LOLBAS. (2021, January 7). Scrobj.dll. Retrieved December 4, 2023.", "meta": { @@ -49047,12 +52166,12 @@ "value": "Microsoft SDelete July 2016" }, { - "description": "Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved May 27, 2022.", + "description": "Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. September 12, 2024.", "meta": { "date_accessed": "2022-05-27T00:00:00Z", "date_published": "2019-05-09T00:00:00Z", "refs": [ - "https://twitter.com/PyroTek3/status/1126487227712921600/photo/1" + "https://x.com/PyroTek3/status/1126487227712921600" ], "source": "MITRE", "title": "Sean Metcalf Twitter" @@ -49134,6 +52253,35 @@ "uuid": "3f0ff65d-56a0-4c29-b561-e6342b0b6b65", "value": "TechNet Secure Boot Process" }, + { + "description": "SecureWorks. (2019, August 27) LYCEUM Takes Center Stage in Middle East Campaign. Retrieved November 19, 2019", + "meta": { + "date_accessed": "2019-11-19T00:00:00Z", + "date_published": "2019-08-27T00:00:00Z", + "refs": [ + "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + ], + "source": "MITRE", + "title": "SecureWorks August 2019" + }, + "related": [], + "uuid": "573edbb6-687b-4bc2-bc4a-764a548633b5", + "value": "SecureWorks August 2019" + }, + { + "description": "SecureWorks. (2019, September 24) REvil/Sodinokibi Ransomware. Retrieved April 12, 2021", + "meta": { + "date_accessed": "2021-04-12T00:00:00Z", + "refs": [ + "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + ], + "source": "MITRE", + "title": "SecureWorks September 2019" + }, + "related": [], + "uuid": "dc3387b0-c845-5b5a-afef-bc518ecbfb1f", + "value": "SecureWorks September 2019" + }, { "description": "Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.", "meta": { @@ -49150,10 +52298,10 @@ "value": "Securing bash history" }, { - "description": "Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.", + "description": "Plett, C., Poggemeyer, L. (2012, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.", "meta": { "date_accessed": "2017-04-25T00:00:00Z", - "date_published": "2026-10-12T00:00:00Z", + "date_published": "2012-10-26T00:00:00Z", "refs": [ "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" ], @@ -49239,12 +52387,27 @@ "value": "Carbon Black Obfuscation Sept 2016" }, { - "description": "Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.", + "description": "National Institute of Standards and Technology. (2020, September). Security and Privacy Controlsfor Information Systems and Organizations. Retrieved August 30, 2024.", "meta": { - "date_accessed": "2021-10-06T00:00:00Z", + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2020-09-01T00:00:00Z", + "refs": [ + "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf" + ], + "source": "MITRE", + "title": "Security and Privacy Controlsfor Information Systems and Organizations" + }, + "related": [], + "uuid": "c07bed36-e1a4-598c-9361-6fb5402947ff", + "value": "NIST Special Publication 800-53 Revision 5" + }, + { + "description": "Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.", + "meta": { + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2013-12-23T00:00:00Z", "refs": [ - "http://lists.openstack.org/pipermail/openstack/2013-December/004138.html" + "https://lists.openstack.org/pipermail/openstack/2013-December/004138.html" ], "source": "MITRE", "title": "Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!" @@ -49317,7 +52480,7 @@ "date_accessed": "2019-05-28T00:00:00Z", "date_published": "2018-08-24T00:00:00Z", "refs": [ - "https://www.se.com/ww/en/download/document/SESN-2018-236-01/" + "https://www.se.com/us/en/download/document/SESN-2018-236-01/" ], "source": "MITRE", "title": "Security Notification – USB Removable Media Provided With Conext Combox and Conext Battery Monitor" @@ -49589,21 +52752,6 @@ "uuid": "c2f7958b-f521-4133-9aeb-c5c8fae23e78", "value": "ProofPoint Serpent" }, - { - "description": "Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.", - "meta": { - "date_accessed": "2017-12-21T00:00:00Z", - "date_published": "2017-12-16T00:00:00Z", - "refs": [ - "https://en.wikipedia.org/wiki/Server_Message_Block" - ], - "source": "MITRE", - "title": "Server Message Block" - }, - "related": [], - "uuid": "3ea03c65-12e0-4e28-bbdc-17bb8c1e1831", - "value": "Wikipedia Server Message Block" - }, { "description": "Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.", "meta": { @@ -49619,6 +52767,21 @@ "uuid": "087b4779-22d5-4872-adb7-583904a92285", "value": "Wikipedia SMB" }, + { + "description": "Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.", + "meta": { + "date_accessed": "2017-12-21T00:00:00Z", + "date_published": "2017-12-16T00:00:00Z", + "refs": [ + "https://en.wikipedia.org/wiki/Server_Message_Block" + ], + "source": "MITRE", + "title": "Server Message Block" + }, + "related": [], + "uuid": "3ea03c65-12e0-4e28-bbdc-17bb8c1e1831", + "value": "Wikipedia Server Message Block" + }, { "description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.", "meta": { @@ -49737,12 +52900,12 @@ "value": "Twitter Service Recovery Nov 2017" }, { - "description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.", + "description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2018-04-09T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-11-30T00:00:00Z", "refs": [ - "https://twitter.com/r0wdy_/status/936365549553991680" + "https://x.com/r0wdy_/status/936365549553991680" ], "source": "MITRE", "title": "Service Recovery Parameters" @@ -49780,6 +52943,21 @@ "uuid": "37d237ae-f0a8-5b30-8f97-d751c1560391", "value": "Krebs Access Brokers Fortune 500" }, + { + "description": "Nathan Eades. (2023, January 12). SES-pionage. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2023-01-12T00:00:00Z", + "refs": [ + "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" + ], + "source": "MITRE", + "title": "SES-pionage" + }, + "related": [], + "uuid": "04541283-247a-5a8c-8017-4d74967e194c", + "value": "Permiso SES Abuse 2023" + }, { "description": "OWASP CheatSheets Series Team. (n.d.). Session Management Cheat Sheet. Retrieved December 26, 2023.", "meta": { @@ -50286,6 +53464,21 @@ "uuid": "aba1cc57-ac30-400f-8b02-db7bf279dfb6", "value": "Shimgvw.dll - LOLBAS Project" }, + { + "description": "ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024, October 1). Shining a Light in the Dark – How Binary Defense Uncovered an APT Lurking in Shadows of IT. Retrieved October 7, 2024.", + "meta": { + "date_accessed": "2024-10-07T00:00:00Z", + "date_published": "2024-10-01T00:00:00Z", + "refs": [ + "https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/" + ], + "source": "MITRE", + "title": "Shining a Light in the Dark – How Binary Defense Uncovered an APT Lurking in Shadows of IT" + }, + "related": [], + "uuid": "588d7272-a3c4-561e-883e-49e8effa4e78", + "value": "Binary Defense Kerberos Linux" + }, { "description": "FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.", "meta": { @@ -50704,6 +53897,36 @@ "uuid": "d79d0510-4d49-464d-8074-daedd186f1c1", "value": "Phish Labs Silent Librarian" }, + { + "description": "Jacob Santos; Cj Arsley Mateo; Sarah Pearl Camiling Read time. (2024, October 15). Silent Threat Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions. Retrieved October 17, 2024.", + "meta": { + "date_accessed": "2024-10-17T00:00:00Z", + "date_published": "2024-10-15T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/fr_fr/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html" + ], + "source": "Tidal Cyber", + "title": "Silent Threat Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions" + }, + "related": [], + "uuid": "7c49c1fd-0a02-457d-97d2-13e72f489f1f", + "value": "Trend Micro October 15 2024" + }, + { + "description": "byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.", + "meta": { + "date_accessed": "2024-09-12T00:00:00Z", + "refs": [ + "https://github.com/byt3bl33d3r/SILENTTRINITY" + ], + "source": "MITRE", + "title": "SILENTTRINITY" + }, + "related": [], + "uuid": "b71c198b-0570-500c-b0dc-05e76dd383bb", + "value": "Github_SILENTTRINITY" + }, { "description": "Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.", "meta": { @@ -50779,6 +54002,21 @@ "uuid": "54fcbc49-f4e3-48a4-9d67-52ca08b322b2", "value": "Timac DYLD_INSERT_LIBRARIES" }, + { + "description": "Rostovcev, N. (2023, April 18). SimpleHarm: Tracking MuddyWater’s infrastructure. Retrieved July 11, 2024.", + "meta": { + "date_accessed": "2024-07-11T00:00:00Z", + "date_published": "2023-04-18T00:00:00Z", + "refs": [ + "https://www.group-ib.com/blog/muddywater-infrastructure/" + ], + "source": "MITRE", + "title": "SimpleHarm: Tracking MuddyWater’s infrastructure" + }, + "related": [], + "uuid": "793d05a5-5b32-5bf7-9ffc-6ffa13b4c7a4", + "value": "group-ib_muddywater_infra" + }, { "description": "Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack. Retrieved June 2, 2023.", "meta": { @@ -51190,12 +54428,12 @@ "value": "Environmental Keyed HTA" }, { - "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved May 20, 2021.", + "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2021-05-20T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2017-08-08T00:00:00Z", "refs": [ - "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/" + "https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/" ], "source": "MITRE", "title": "Smuggling HTA files in Internet Explorer/Edge" @@ -51279,6 +54517,21 @@ "uuid": "f026dd44-1491-505b-8a8a-e4f28c6cd6a7", "value": "Telefonica Snip3 December 2021" }, + { + "description": "Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2024-02-15T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/" + ], + "source": "MITRE", + "title": "SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud" + }, + "related": [], + "uuid": "73102615-cf40-5606-a203-6c7f061c14ec", + "value": "SentinelLabs SNS Sender 2024" + }, { "description": "Cybereason Global SOC Team. (2022, April 25). SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems. Retrieved May 7, 2023.", "meta": { @@ -51421,6 +54674,21 @@ "uuid": "bca2b5c2-bc3b-4504-806e-5c5b6fee96e6", "value": "Security Joes Sockbot March 09 2022" }, + { + "description": "DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024.", + "meta": { + "date_accessed": "2024-07-22T00:00:00Z", + "date_published": "2021-03-29T00:00:00Z", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/" + ], + "source": "MITRE", + "title": "Sodinokibi (aka REvil) Ransomware" + }, + "related": [], + "uuid": "bb685e6c-e42c-57e5-9fc4-6966bde38f71", + "value": "DFIR_Sodinokibi_Ransomware" + }, { "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.", "meta": { @@ -51466,21 +54734,6 @@ "uuid": "0bcc2d76-987c-4a9b-9e00-1400eec4e606", "value": "Unit 42 Sofacy Feb 2018" }, - { - "description": "Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.", - "meta": { - "date_accessed": "2019-04-23T00:00:00Z", - "date_published": "2018-11-20T00:00:00Z", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" - ], - "source": "MITRE", - "title": "Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan" - }, - "related": [], - "uuid": "1523c6de-8879-4652-ac51-1a5085324370", - "value": "Unit 42 Sofacy Nov 2018" - }, { "description": "Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.", "meta": { @@ -51496,6 +54749,21 @@ "uuid": "8c634bbc-4878-4b27-aa18-5996ec968809", "value": "Unit42 Cannon Nov 2018" }, + { + "description": "Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.", + "meta": { + "date_accessed": "2019-04-23T00:00:00Z", + "date_published": "2018-11-20T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" + ], + "source": "MITRE", + "title": "Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan" + }, + "related": [], + "uuid": "1523c6de-8879-4652-ac51-1a5085324370", + "value": "Unit 42 Sofacy Nov 2018" + }, { "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.", "meta": { @@ -51556,6 +54824,22 @@ "uuid": "ec157d0c-4091-43f5-85f1-a271c4aac1fc", "value": "Sofacy DealersChoice" }, + { + "description": "SoftPerfect. (2024, July 4). SoftPerfect Network Scanner Product Page. Retrieved October 6, 2024.", + "meta": { + "date_accessed": "2024-10-06T00:00:00Z", + "date_published": "2024-07-04T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.softperfect.com/products/networkscanner/" + ], + "source": "Tidal Cyber", + "title": "SoftPerfect Network Scanner Product Page" + }, + "related": [], + "uuid": "c9c3251d-1852-4b33-80f9-6e321a05cc30", + "value": "SoftPerfect Network Scanner Product Page" + }, { "description": "Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.", "meta": { @@ -51617,12 +54901,12 @@ "value": "SolarWinds Advisory Dec 2020" }, { - "description": "Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved March 7, 2022.", + "description": "Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2022-03-07T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2015-12-31T00:00:00Z", "refs": [ - "https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/" + "https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/" ], "source": "MITRE", "title": "Solution: Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with PRTG and PowerShell" @@ -51946,6 +55230,21 @@ "uuid": "c1fa6c1d-f11a-47d4-88fc-ec0a3dc44279", "value": "NSA Spotting" }, + { + "description": "Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-05-15T00:00:00Z", + "refs": [ + "https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" + ], + "source": "MITRE", + "title": "Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID" + }, + "related": [], + "uuid": "98e3c7a6-d088-56e5-ae43-96c284cc6f94", + "value": "Elastic Latrodectus May 2024" + }, { "description": "Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.", "meta": { @@ -52273,12 +55572,26 @@ "value": "Mandiant APT41" }, { - "description": "Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018.", + "description": "Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024.", "meta": { - "date_accessed": "2018-07-03T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments" + ], + "source": "MITRE", + "title": "State Governments" + }, + "related": [], + "uuid": "c65cfdde-bc7f-5cd2-b1ee-066b7cc2eb6a", + "value": "Google Cloud APT41 2022" + }, + { + "description": "Desimone, J. (2018, April 18). Status Update. Retrieved September 12, 2024.", + "meta": { + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2018-04-18T00:00:00Z", "refs": [ - "https://twitter.com/dez_/status/986614411711442944" + "https://x.com/dez_/status/986614411711442944" ], "source": "MITRE", "title": "Status Update" @@ -52317,6 +55630,20 @@ "uuid": "5d43542f-aad5-4ac5-b5b6-1a2b03222fc8", "value": "Mandiant Endpoint Evading 2019" }, + { + "description": "Matthew Dunwoody. (2022, April 28). I have seen double-timestomping ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "refs": [ + "https://x.com/matthewdunwoody/status/1519846657646604289" + ], + "source": "MITRE", + "title": "Stay sharp out there." + }, + "related": [], + "uuid": "d4ee5a4b-9e68-5e77-ae5b-e45942a7fd26", + "value": "Double Timestomping" + }, { "description": "Quentin Bourgue, Pierre Le Bourhis, Threat & Detection Research Team. (2023, February 20). Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1. Retrieved July 28, 2023.", "meta": { @@ -52349,21 +55676,6 @@ "uuid": "edd0cab4-48f7-48d8-a318-ced118af6a63", "value": "Sekoia.io Stealc February 27 2023" }, - { - "description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.", - "meta": { - "date_accessed": "2023-02-21T00:00:00Z", - "date_published": "2022-02-15T00:00:00Z", - "refs": [ - "https://aadinternals.com/post/deviceidentity/" - ], - "source": "MITRE", - "title": "Stealing and faking Azure AD device identities" - }, - "related": [], - "uuid": "b5ef16c4-1db0-51e9-93ab-54a8e480debc", - "value": "AADInternals Azure AD Device Identities" - }, { "description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.", "meta": { @@ -52379,6 +55691,21 @@ "uuid": "ec94c043-92ef-4691-b21a-7ea68f39e338", "value": "O365 Blog Azure AD Device IDs" }, + { + "description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.", + "meta": { + "date_accessed": "2023-02-21T00:00:00Z", + "date_published": "2022-02-15T00:00:00Z", + "refs": [ + "https://aadinternals.com/post/deviceidentity/" + ], + "source": "MITRE", + "title": "Stealing and faking Azure AD device identities" + }, + "related": [], + "uuid": "b5ef16c4-1db0-51e9-93ab-54a8e480debc", + "value": "AADInternals Azure AD Device Identities" + }, { "description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.", "meta": { @@ -52409,6 +55736,21 @@ "uuid": "6b79006d-f6de-489c-82fa-8c3c28d652ef", "value": "CSM Elderwood Sept 2012" }, + { + "description": "Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November 21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved August 28, 2024.", + "meta": { + "date_accessed": "2024-08-28T00:00:00Z", + "date_published": "2023-11-21T00:00:00Z", + "refs": [ + "https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/" + ], + "source": "MITRE", + "title": "Stealthy WailingCrab Malware misuses MQTT Messaging Protocol" + }, + "related": [], + "uuid": "5d0f12e2-919c-5a7f-8340-83577508368d", + "value": "wailing crab sub/pub" + }, { "description": "Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to the Kingdom. Retrieved July 5, 2017.", "meta": { @@ -52754,6 +56096,21 @@ "uuid": "ad96148c-8230-4923-86fd-4b1da211db1a", "value": "U.S. CISA Play Ransomware December 2023" }, + { + "description": "CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "date_published": "2023-12-18T00:00:00Z", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a" + ], + "source": "MITRE", + "title": "#StopRansomware: Play Ransomware AA23-352A" + }, + "related": [], + "uuid": "b47f5430-25d4-5502-9219-674daed4e2c5", + "value": "CISA Play Ransomware Advisory December 2023" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2024, August 29). #StopRansomware: RansomHub Ransomware. Retrieved September 3, 2024.", "meta": { @@ -52895,6 +56252,22 @@ "uuid": "d3b9df24-b776-4658-9bb4-f43a2fe0094c", "value": "store_pwd_rev_enc" }, + { + "description": "Microsoft Threat Intelligence. (2024, September 26). Storm-0501 Ransomware attacks expanding to hybrid cloud environments . Retrieved September 27, 2024.", + "meta": { + "date_accessed": "2024-09-27T00:00:00Z", + "date_published": "2024-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/" + ], + "source": "Tidal Cyber", + "title": "Storm-0501 Ransomware attacks expanding to hybrid cloud environments" + }, + "related": [], + "uuid": "bf05138b-f690-4b0f-ba10-9af71f7d9bfc", + "value": "Microsoft Security Blog September 26 2024" + }, { "description": "IBM Support. (2017, April 26). Storwize USB Initialization Tool may contain malicious code. Retrieved May 28, 2019.", "meta": { @@ -53346,12 +56719,12 @@ "value": "U.S. CISA APT29 Cloud Access" }, { - "description": "Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020.", + "description": "Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved September 16, 2024.", "meta": { - "date_accessed": "2020-10-20T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", "date_published": "2020-03-12T00:00:00Z", "refs": [ - "https://www.recordedfuture.com/turla-apt-infrastructure/" + "https://www.recordedfuture.com/research/turla-apt-infrastructure" ], "source": "MITRE", "title": "Swallowing the Snake’s Tail: Tracking Turla Infrastructure" @@ -53405,20 +56778,6 @@ "uuid": "d9f0af0f-8a65-406b-9d7e-4051086ef301", "value": "SecureList SynAck Doppelgänging May 2018" }, - { - "description": "Strontic. (n.d.). SyncAppvPublishingServer.exe. Retrieved February 6, 2024.", - "meta": { - "date_accessed": "2024-02-06T00:00:00Z", - "refs": [ - "https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html" - ], - "source": "MITRE", - "title": "SyncAppvPublishingServer.exe" - }, - "related": [], - "uuid": "bc5d8a1a-5cf9-5974-bf13-245fa53721da", - "value": "6 - appv" - }, { "description": "LOLBAS. (2018, May 25). SyncAppvPublishingServer.exe. Retrieved December 4, 2023.", "meta": { @@ -53435,6 +56794,20 @@ "uuid": "ce371df7-aab6-4338-9491-656481cb5601", "value": "SyncAppvPublishingServer.exe - LOLBAS Project" }, + { + "description": "Strontic. (n.d.). SyncAppvPublishingServer.exe. Retrieved February 6, 2024.", + "meta": { + "date_accessed": "2024-02-06T00:00:00Z", + "refs": [ + "https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html" + ], + "source": "MITRE", + "title": "SyncAppvPublishingServer.exe" + }, + "related": [], + "uuid": "bc5d8a1a-5cf9-5974-bf13-245fa53721da", + "value": "6 - appv" + }, { "description": "Nick Landers, Casey Smith. (n.d.). /Syncappvpublishingserver.vbs. Retrieved February 6, 2024.", "meta": { @@ -53713,20 +57086,6 @@ "uuid": "2a3c5216-b153-4d89-b0b1-f32af3aa83d0", "value": "Peripheral Discovery macOS" }, - { - "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", - "meta": { - "date_accessed": "2016-11-25T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/ms724961.aspx" - ], - "source": "MITRE", - "title": "System Time" - }, - "related": [], - "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", - "value": "MSDN System Time" - }, { "description": "ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.", "meta": { @@ -53742,6 +57101,20 @@ "uuid": "2dfd22d7-c78b-5967-b732-736f37ea5489", "value": "linux system time" }, + { + "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", + "meta": { + "date_accessed": "2016-11-25T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/ms724961.aspx" + ], + "source": "MITRE", + "title": "System Time" + }, + "related": [], + "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", + "value": "MSDN System Time" + }, { "description": "Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.", "meta": { @@ -53757,6 +57130,20 @@ "uuid": "c7e77109-36d3-5549-a0f7-bacc0d9288b2", "value": "atomic-red proc file system" }, + { + "description": "Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled Task/Job: Scheduled Task. Retrieved June 19, 2024.", + "meta": { + "date_accessed": "2024-06-19T00:00:00Z", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md" + ], + "source": "MITRE", + "title": "T1053.005 - Scheduled Task/Job: Scheduled Task" + }, + "related": [], + "uuid": "2e7fd604-6ec8-54ec-a9f4-879b349f3542", + "value": "Red Canary - Atomic Red Team" + }, { "description": "redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.", "meta": { @@ -53922,6 +57309,22 @@ "uuid": "460758ea-ed3e-4e9b-ba2e-97c9d42154a4", "value": "TrendMicro TA505 Aug 2019" }, + { + "description": "Tommy Madjar, Selena Larson, the Proofpoint Threat Research Team. (2024, April 10). TA547 Targets German Organizations with Rhadamanthys Stealer. Retrieved September 9, 2024.", + "meta": { + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2024-04-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer" + ], + "source": "Tidal Cyber", + "title": "TA547 Targets German Organizations with Rhadamanthys Stealer" + }, + "related": [], + "uuid": "c1fab1dd-bec1-4637-9d50-8317247dc82b", + "value": "Proofpoint TA547 April 10 2024" + }, { "description": "Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.", "meta": { @@ -54045,12 +57448,12 @@ "value": "Microsoft Process Snapshot" }, { - "description": "Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 22, 2021.", + "description": "Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024.", "meta": { - "date_accessed": "2021-09-22T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", "date_published": "2021-05-25T00:00:00Z", "refs": [ - "https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/" + "https://www.lacework.com/blog/taking-teamtnt-docker-images-offline" ], "source": "MITRE", "title": "Taking TeamTNT's Docker Images Offline" @@ -54059,6 +57462,37 @@ "uuid": "5908b04b-dbca-4fd8-bacc-141ef15546a1", "value": "Lacework TeamTNT May 2021" }, + { + "description": "Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.", + "meta": { + "date_accessed": "2024-08-27T00:00:00Z", + "date_published": "2024-08-27T00:00:00Z", + "refs": [ + "https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/" + ], + "source": "MITRE", + "title": "Taking The Crossroads: The Versa Director Zero-Day Exploitaiton" + }, + "related": [], + "uuid": "1d7f40f7-76e6-5ba2-8561-17f3646cf407", + "value": "Lumen Versa 2024" + }, + { + "description": "Black Lotus Labs. (2024, August 27). Taking the Crossroads The Versa Director Zero-Day Exploitation. Retrieved September 6, 2024.", + "meta": { + "date_accessed": "2024-09-06T00:00:00Z", + "date_published": "2024-08-27T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/" + ], + "source": "Tidal Cyber", + "title": "Taking the Crossroads The Versa Director Zero-Day Exploitation" + }, + "related": [], + "uuid": "f82c001f-13c0-43d0-bfa4-a51b2715a3e7", + "value": "Lumen August 27 2024" + }, { "description": "Martin McCloskey, Christophe Tafani-Dereeper. (2024, January 19). Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining. Retrieved April 11, 2024.", "meta": { @@ -54185,7 +57619,7 @@ "date_accessed": "2021-09-29T00:00:00Z", "date_published": "2018-06-23T00:00:00Z", "refs": [ - "http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf" + "https://web.archive.org/web/20230213154832/http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf" ], "source": "MITRE, Tidal Cyber", "title": "Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus" @@ -54614,6 +58048,21 @@ "uuid": "a40a69d7-7abc-4829-9905-98c156a809fe", "value": "McAfee Dianxun March 2021" }, + { + "description": "Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.", + "meta": { + "date_accessed": "2024-07-12T00:00:00Z", + "date_published": "2023-05-24T00:00:00Z", + "refs": [ + "https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot" + ], + "source": "MITRE", + "title": "Technical Analysis of Pikabot" + }, + "related": [], + "uuid": "7d3785e3-52db-54ec-ad54-32a2ecdb451f", + "value": "Zscaler Pikabot 2023" + }, { "description": "Brett Stone-Gross, Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved January 11, 2024.", "meta": { @@ -54646,6 +58095,22 @@ "uuid": "5e3fa76b-0ca3-4935-830a-6ca132fa2fb4", "value": "Technical Analysis of PureCrypter | Zscaler Blog" }, + { + "description": "Nikolao Pantazopoulos, Sarthak Misraa. (2023, February 21). Technical Analysis of Rhadamanthys Obfuscation Techniques. Retrieved October 14, 2024.", + "meta": { + "date_accessed": "2024-10-14T00:00:00Z", + "date_published": "2023-02-21T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques" + ], + "source": "Tidal Cyber", + "title": "Technical Analysis of Rhadamanthys Obfuscation Techniques" + }, + "related": [], + "uuid": "a289704d-952d-4150-b9cc-5c53e4b0a41f", + "value": "Zscaler Rhadamanthys February 21 2023" + }, { "description": "Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022.", "meta": { @@ -54721,6 +58186,21 @@ "uuid": "3138f32c-f89c-439c-a8c5-2964c356308d", "value": "Palo Alto Office Test Sofacy" }, + { + "description": "Sherwin Akshay. (2024, May 28). Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff. Retrieved September 27, 2024.", + "meta": { + "date_accessed": "2024-09-27T00:00:00Z", + "date_published": "2024-05-28T00:00:00Z", + "refs": [ + "https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc" + ], + "source": "MITRE", + "title": "Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff" + }, + "related": [], + "uuid": "a2d50199-6ff4-504b-8f26-9cca4c0eb46f", + "value": "polymorphic-linkedin" + }, { "description": "LOLBAS. (2018, May 25). te.exe. Retrieved December 4, 2023.", "meta": { @@ -54796,6 +58276,20 @@ "uuid": "02c9100d-27eb-4f2f-b302-adf890055546", "value": "Elastic Process Injection July 2017" }, + { + "description": "AWS. (n.d.). Terminology and concepts for AWS Organizations. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html" + ], + "source": "MITRE", + "title": "Terminology and concepts for AWS Organizations" + }, + "related": [], + "uuid": "06d4ce21-ef87-5977-80df-10bd36ae722e", + "value": "AWS Organizations" + }, { "description": "LOLBAS. (2023, August 21). TestWindowRemoteAgent.exe. Retrieved December 4, 2023.", "meta": { @@ -54903,12 +58397,12 @@ "value": "ThreatConnect Anthem" }, { - "description": "Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.", + "description": "Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2021-04-06T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2020-09-21T00:00:00Z", "refs": [ - "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" + "https://web.archive.org/web/20210219195905/https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" ], "source": "MITRE", "title": "The Art and Science of Detecting Cobalt Strike" @@ -55035,12 +58529,12 @@ "value": "Symantec Black Vine" }, { - "description": "Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.", + "description": "Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.", "meta": { - "date_accessed": "2021-07-16T00:00:00Z", + "date_accessed": "2024-09-19T00:00:00Z", "date_published": "2021-07-01T00:00:00Z", "refs": [ - "https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer" + "https://www.group-ib.com/blog/grimagent/" ], "source": "MITRE", "title": "THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK" @@ -55197,6 +58691,22 @@ "uuid": "93a23447-641c-4ee2-9fbd-64b2adea8a5f", "value": "BlackBerry CostaRicto November 2020" }, + { + "description": "James. (2024, September 6). The Curious Case of an Open Source Stealer: Phemedrone. Retrieved October 10, 2024.", + "meta": { + "date_accessed": "2024-10-10T00:00:00Z", + "date_published": "2024-09-06T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://spycloud.com/blog/phemedrone-stealer/" + ], + "source": "Tidal Cyber", + "title": "The Curious Case of an Open Source Stealer: Phemedrone" + }, + "related": [], + "uuid": "f6612b6c-6bed-474f-9ff3-ae3024d099c2", + "value": "SpyCloud Phemedrone September 6 2024" + }, { "description": "Www.invictus-ir.com. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved April 17, 2024.", "meta": { @@ -55334,6 +58844,21 @@ "uuid": "17ebabfb-6399-4b5f-8274-b34045e2d51a", "value": "Zscaler 2 12 2024" }, + { + "description": "Nikolaos Pantazopoulos. (2024, February 12). The (D)Evolution of Pikabot. Retrieved July 17, 2024.", + "meta": { + "date_accessed": "2024-07-17T00:00:00Z", + "date_published": "2024-02-12T00:00:00Z", + "refs": [ + "https://www.zscaler.com/blogs/security-research/d-evolution-pikabot" + ], + "source": "MITRE", + "title": "The (D)Evolution of Pikabot" + }, + "related": [], + "uuid": "9c1edd25-0fd0-5b5d-8091-68074da52593", + "value": "Zscaler Pikabot 2024" + }, { "description": "Binary Reverse Engineering Blog. (2023, September 6). The DGA of BumbleBee. Retrieved February 19, 2024.", "meta": { @@ -55386,7 +58911,7 @@ "date_accessed": "2017-04-21T00:00:00Z", "date_published": "2015-06-11T00:00:00Z", "refs": [ - "https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf" + "https://web.archive.org/web/20150906233433/https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf" ], "source": "MITRE", "title": "The Duqu 2.0" @@ -55592,6 +59117,21 @@ "uuid": "3f9a6343-1db3-4696-99ed-f22c6eabee71", "value": "Palo Alto Gamaredon Feb 2017" }, + { + "description": "Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming the Star Ranking Game. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "date_published": "2023-11-30T00:00:00Z", + "refs": [ + "https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7" + ], + "source": "MITRE", + "title": "The GitHub Black Market: Gaming the Star Ranking Game" + }, + "related": [], + "uuid": "47222894-95fe-55e1-a6b9-0f1578c4ee65", + "value": "Chexmarx-seo" + }, { "description": "GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.", "meta": { @@ -55683,6 +59223,21 @@ "uuid": "d0605185-3f8d-4846-a718-15572714e15b", "value": "Unit 42 Gorgon Group Aug 2018" }, + { + "description": "SecureWorks Counter Threat Unit Research Team. (2023, May 16). The Growing Threat from Infostealers. Retrieved October 10, 2024.", + "meta": { + "date_accessed": "2024-10-10T00:00:00Z", + "date_published": "2023-05-16T00:00:00Z", + "refs": [ + "https://www.secureworks.com/research/the-growing-threat-from-infostealers" + ], + "source": "MITRE", + "title": "The Growing Threat from Infostealers" + }, + "related": [], + "uuid": "03b6e028-96b1-5d04-abf6-f0d190f44df4", + "value": "SecureWorks Infostealers 2023" + }, { "description": "Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021.", "meta": { @@ -55802,6 +59357,21 @@ "uuid": "8fa21bad-0186-5181-b52e-32f7f116695c", "value": "sentinelone_israel_hamas_war" }, + { + "description": "Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery Compendium (GNU/Linux). Retrieved September 17, 2024.", + "meta": { + "date_accessed": "2024-09-17T00:00:00Z", + "date_published": "2021-01-28T00:00:00Z", + "refs": [ + "https://adepts.of0x.cc/kerberos-thievery-linux/" + ], + "source": "MITRE", + "title": "The Kerberos Credential Thievery Compendium (GNU/Linux)" + }, + "related": [], + "uuid": "84b9fd50-4bcf-5f0b-9712-27d6581b8c7a", + "value": "Kerberos GNU/Linux" + }, { "description": "Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.", "meta": { @@ -55887,8 +59457,8 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", - "value": "GitHub LaZagne Dec 2018" + "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", + "value": "GitHub LaZange Dec 2018" }, { "description": "Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.", @@ -55901,16 +59471,16 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", - "value": "GitHub LaZange Dec 2018" + "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", + "value": "GitHub LaZagne Dec 2018" }, { - "description": "SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.", + "description": "SecureWorks. (2012). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.", "meta": { "date_accessed": "2015-08-19T00:00:00Z", - "date_published": "2013-01-01T00:00:00Z", + "date_published": "2012-01-01T00:00:00Z", "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/" + "https://www.secureworks.com/research/The-Lifecycle-of-Peer-to-Peer-Gameover-ZeuS" ], "source": "MITRE", "title": "The Lifecycle of Peer-to-Peer (Gameover) ZeuS" @@ -56071,12 +59641,12 @@ "value": "Securelist MiniDuke Feb 2013" }, { - "description": "Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved March 5, 2019.", + "description": "Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved September 23, 2024.", "meta": { - "date_accessed": "2019-03-05T00:00:00Z", + "date_accessed": "2024-09-23T00:00:00Z", "date_published": "2017-01-10T00:00:00Z", "refs": [ - "http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/" + "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/" ], "source": "MITRE", "title": "The Most Dangerous User Right You (Probably) Have Never Heard Of" @@ -56131,12 +59701,12 @@ "value": "Baumgartner Golovkin Naikon 2015" }, { - "description": "Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.", + "description": "Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024.", "meta": { - "date_accessed": "2018-11-09T00:00:00Z", + "date_accessed": "2024-09-25T00:00:00Z", "date_published": "2018-03-02T00:00:00Z", "refs": [ - "https://cofense.com/nanocore-rat-resurfaced-sewers/" + "https://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/" ], "source": "MITRE", "title": "The NanoCore RAT Has Resurfaced From the Sewers" @@ -56293,6 +59863,21 @@ "uuid": "6840c1d6-89dc-4138-99e8-fbd2a45f2a1c", "value": "Kaspersky ProjectSauron Full Report" }, + { + "description": "Global Research and Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "date_published": "2016-08-09T00:00:00Z", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf" + ], + "source": "MITRE", + "title": "The ProjectSauron APT" + }, + "related": [], + "uuid": "274fdba1-29f1-5c92-88f6-9a1b21598411", + "value": "Kaspersky Lua" + }, { "description": "Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.", "meta": { @@ -56413,6 +59998,22 @@ "uuid": "a9333ef5-5637-4a4c-9aaf-fdc9daf8b860", "value": "FireEye WMI SANS 2015" }, + { + "description": "Sygnia. (2024, July 17). The Return of Ghost Emperor's Demodex. Retrieved August 9, 2024.", + "meta": { + "date_accessed": "2024-08-09T00:00:00Z", + "date_published": "2024-07-17T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/" + ], + "source": "Tidal Cyber", + "title": "The Return of Ghost Emperor's Demodex" + }, + "related": [], + "uuid": "7d30acb4-9600-46bd-a800-1c7e1149e9b4", + "value": "Sygnia July 17 2024" + }, { "description": "Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.", "meta": { @@ -56535,6 +60136,22 @@ "uuid": "34e6e415-099a-4f29-aad0-fc0331a733a4", "value": "ESET Telebots Dec 2016" }, + { + "description": "Emily Megan Lim. (2023, September 6). The Rise of the Lumma Info-Stealer . Retrieved October 10, 2024.", + "meta": { + "date_accessed": "2024-10-10T00:00:00Z", + "date_published": "2023-09-06T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer" + ], + "source": "Tidal Cyber", + "title": "The Rise of the Lumma Info-Stealer" + }, + "related": [], + "uuid": "2d23c7ba-2c00-4693-a9a2-4c5fabc353b4", + "value": "Darktrace September 6 2023" + }, { "description": "Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.", "meta": { @@ -56745,12 +60362,12 @@ "value": "Fidelis Turbo" }, { - "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", + "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2020-06-18T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2020-02-20T00:00:00Z", "refs": [ - "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" + "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html" ], "source": "MITRE", "title": "The United States Condemns Russian Cyber Attack Against the Country of Georgia" @@ -57012,6 +60629,36 @@ "uuid": "82d41fd8-495d-41b6-b908-6ada5764c94d", "value": "Code Injection on Linux and macOS" }, + { + "description": "Vilius Petkauskas . (2022, November 3). Thomson Reuters collected and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2022-11-03T00:00:00Z", + "refs": [ + "https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/" + ], + "source": "MITRE", + "title": "Thomson Reuters collected and leaked at least 3TB of sensitive data" + }, + "related": [], + "uuid": "ca5ee9aa-6c9a-57dc-9cb4-0d976de1b5e5", + "value": "Cybernews Reuters Leak 2022" + }, + { + "description": "Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That Prey on Your Curiosity. Retrieved September 27, 2024.", + "meta": { + "date_accessed": "2024-09-27T00:00:00Z", + "date_published": "2024-03-28T00:00:00Z", + "refs": [ + "https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/" + ], + "source": "MITRE", + "title": "Thread Hijacking: Phishes That Prey on Your Curiosity" + }, + "related": [], + "uuid": "1f591eeb-04c0-5125-b378-e3716a839d17", + "value": "phishing-krebs" + }, { "description": "Ian Kenefick, Junestherry Dela Cruz, Peter Girnus. (2024, February 27). Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities. Retrieved February 28, 2024.", "meta": { @@ -57244,6 +60891,21 @@ "uuid": "efd64f41-13cc-4b2b-864c-4d2352cdadcd", "value": "Aqua Build Images on Hosts" }, + { + "description": "Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "date_published": "2023-11-20T00:00:00Z", + "refs": [ + "https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf" + ], + "source": "MITRE", + "title": "Threat Alert: INC Ransomware" + }, + "related": [], + "uuid": "ebe119d6-add3-5a1b-8e5f-b6419f246ba9", + "value": "Cybereason INC Ransomware November 2023" + }, { "description": "Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.", "meta": { @@ -57470,20 +61132,6 @@ "uuid": "c113cde7-5dd5-45e9-af16-3ab6ed0b1728", "value": "Awake Security Avaddon" }, - { - "description": "Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.", - "meta": { - "date_accessed": "2022-05-27T00:00:00Z", - "refs": [ - "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/" - ], - "source": "MITRE", - "title": "Threat Hunting Series: Detecting Command & Control in the Cloud" - }, - "related": [], - "uuid": "fa3762ce-3e60-4991-b464-12601d2a6912", - "value": "Awake Security C2 Cloud" - }, { "description": "Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.", "meta": { @@ -57498,6 +61146,20 @@ "uuid": "b12e0288-48cd-46ec-8305-0f4d050782f2", "value": "Detecting Command & Control in the Cloud" }, + { + "description": "Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.", + "meta": { + "date_accessed": "2022-05-27T00:00:00Z", + "refs": [ + "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/" + ], + "source": "MITRE", + "title": "Threat Hunting Series: Detecting Command & Control in the Cloud" + }, + "related": [], + "uuid": "fa3762ce-3e60-4991-b464-12601d2a6912", + "value": "Awake Security C2 Cloud" + }, { "description": "Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.", "meta": { @@ -57798,6 +61460,21 @@ "uuid": "cf7c1db8-6282-4ccd-9609-5a012faf70d6", "value": "Microsoft TimeProvider" }, + { + "description": "Vishavjit Singh. (2023, June 22). TIMESTOMPING EXPLAINED ON API LEVEL. Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2023-06-22T00:00:00Z", + "refs": [ + "https://medium.com/@vishavjitsingh.csi/timestomping-explained-on-api-level-f0c219cf3dc9" + ], + "source": "MITRE", + "title": "TIMESTOMPING EXPLAINED ON API LEVEL" + }, + "related": [], + "uuid": "a9513253-630f-5535-a439-cf7655f4698b", + "value": "API" + }, { "description": "Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.", "meta": { @@ -57828,6 +61505,21 @@ "uuid": "dbdaf320-eada-5bbb-95ab-aaa987ed7960", "value": "Kaspersky ToddyCat Check Logs October 2023" }, + { + "description": "Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2022-06-02T00:00:00Z", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions/" + ], + "source": "MITRE", + "title": "To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions" + }, + "related": [], + "uuid": "92e39558-cd2c-54c4-8930-aafdd2f14bca", + "value": "Mandiant_UNC2165" + }, { "description": "netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.", "meta": { @@ -57919,6 +61611,21 @@ "uuid": "99e2709e-a32a-4fbf-a20a-ffcdd8befdc8", "value": "NorthSec 2015 GData Uroburos Tools" }, + { + "description": "Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2022-12-29T00:00:00Z", + "refs": [ + "https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response" + ], + "source": "MITRE", + "title": "To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response" + }, + "related": [], + "uuid": "65b7db0a-1aeb-545b-af65-b40d043f3502", + "value": "TrustedSec OOB Communications" + }, { "description": "Daniel Krivelevich and Omer Gil. (n.d.). Top 10 CI/CD Security Risks. Retrieved March 24, 2024.", "meta": { @@ -57948,6 +61655,21 @@ "uuid": "ffb6a26d-2da9-4cce-bb2d-5280e9cc16b4", "value": "Dingledine Tor The Second-Generation Onion Router" }, + { + "description": "Symantec Threat Hunter Team. (2019, September 18). Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks. Retrieved May 20, 2024.", + "meta": { + "date_accessed": "2024-05-20T00:00:00Z", + "date_published": "2019-09-18T00:00:00Z", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain" + ], + "source": "MITRE", + "title": "Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks" + }, + "related": [], + "uuid": "2565fe82-5082-5032-8424-03ce7ccb1936", + "value": "Symantec Tortoiseshell 2019" + }, { "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", "meta": { @@ -57963,6 +61685,21 @@ "uuid": "25d8bac0-9187-45db-ad96-c7bce20cef00", "value": "FireEye FIN7 Shim Databases" }, + { + "description": "Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.", + "meta": { + "date_accessed": "2024-06-26T00:00:00Z", + "date_published": "2024-05-15T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" + ], + "source": "MITRE", + "title": "To the Moon and back(doors): Lunar landing in diplomatic missions" + }, + "related": [], + "uuid": "85040d41-b786-5b63-a510-976bc35e8fce", + "value": "ESET Turla Lunar toolset May 2024" + }, { "description": "LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.", "meta": { @@ -58187,21 +61924,6 @@ "uuid": "9bdda422-dbf7-4b70-a7b1-9e3ad658c239", "value": "tt_httrack_fake_domains" }, - { - "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.", - "meta": { - "date_accessed": "2021-09-02T00:00:00Z", - "date_published": "2020-08-20T00:00:00Z", - "refs": [ - "https://securelist.com/transparent-tribe-part-1/98127/" - ], - "source": "MITRE, Tidal Cyber", - "title": "Transparent Tribe: Evolution analysis, part 1" - }, - "related": [], - "uuid": "42c7faa2-f664-4e4a-9d23-93c88a09da5b", - "value": "Kaspersky Transparent Tribe August 2020" - }, { "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.", "meta": { @@ -58217,6 +61939,21 @@ "uuid": "0db470b1-ab22-4b67-a858-472e4de7c6f0", "value": "Securelist Trasparent Tribe 2020" }, + { + "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.", + "meta": { + "date_accessed": "2021-09-02T00:00:00Z", + "date_published": "2020-08-20T00:00:00Z", + "refs": [ + "https://securelist.com/transparent-tribe-part-1/98127/" + ], + "source": "MITRE, Tidal Cyber", + "title": "Transparent Tribe: Evolution analysis, part 1" + }, + "related": [], + "uuid": "42c7faa2-f664-4e4a-9d23-93c88a09da5b", + "value": "Kaspersky Transparent Tribe August 2020" + }, { "description": "Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.", "meta": { @@ -58710,12 +62447,12 @@ "value": "Palo Alto MoonWind March 2017" }, { - "description": "CyberESI. (2011). TROJAN.GTALK. Retrieved June 29, 2015.", + "description": "CyberESI. (2011). TROJAN.GTALK. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2015-06-29T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2011-01-01T00:00:00Z", "refs": [ - "http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/" + "https://web.archive.org/web/20141226203328/http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/" ], "source": "MITRE", "title": "TROJAN.GTALK" @@ -59297,12 +63034,12 @@ "value": "Microsoft NEODYMIUM Dec 2016" }, { - "description": "Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.", + "description": "Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2023-03-24T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2023-03-24T00:00:00Z", "refs": [ - "https://twitter.com/rfackroyd/status/1639136000755765254" + "https://x.com/rfackroyd/status/1639136000755765254" ], "source": "MITRE", "title": "Twitter" @@ -59312,11 +63049,11 @@ "value": "Twitter Richard WMIC" }, { - "description": "Carr, N.. (2017, April 6). Retrieved June 29, 2017.", + "description": "Carr, N.. (2017, April 6). Retrieved September 12, 2024.", "meta": { - "date_accessed": "2017-06-29T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "refs": [ - "https://twitter.com/ItsReallyNick/status/850105140589633536" + "https://x.com/ItsReallyNick/status/850105140589633536" ], "source": "MITRE", "title": "Twitter Nick Carr APT10" @@ -59355,6 +63092,22 @@ "uuid": "a797397b-2af7-58b9-b66a-5ded260659f0", "value": "Two New Monero Malware Attacks Target Windows and Android Users" }, + { + "description": "U.S. Attorney's Office Central District of California. (2024, October 16). Two Sudanese Nationals Indicted for Alleged Role in Anonymous Sudan Cyberattacks. Retrieved October 18, 2024.", + "meta": { + "date_accessed": "2024-10-18T00:00:00Z", + "date_published": "2024-10-16T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.justice.gov/usao-cdca/pr/two-sudanese-nationals-indicted-alleged-role-anonymous-sudan-cyberattacks-hospitals" + ], + "source": "Tidal Cyber", + "title": "Two Sudanese Nationals Indicted for Alleged Role in Anonymous Sudan Cyberattacks" + }, + "related": [], + "uuid": "9ee58ce9-b201-4494-a071-7a82571e05fd", + "value": "Anonymous Sudan Indictment October 16 2024" + }, { "description": "Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.", "meta": { @@ -59370,6 +63123,37 @@ "uuid": "d92f22a7-7753-47da-a850-00c073b5fd27", "value": "Trend Micro Pawn Storm April 2017" }, + { + "description": "tylabs. (2024, September 26). Tyler McLellan UNC2190 Tweet. Retrieved October 3, 2024.", + "meta": { + "date_accessed": "2024-10-03T00:00:00Z", + "date_published": "2024-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://x.com/tylabs/status/1839392050086908022" + ], + "source": "Tidal Cyber", + "title": "Tyler McLellan UNC2190 Tweet" + }, + "related": [], + "uuid": "32298444-284a-4991-ba3b-a80bd62be903", + "value": "Tyler McLellan UNC2190 September 26 2024" + }, + { + "description": "CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2023-02-01T00:00:00Z", + "refs": [ + "https://cert.gov.ua/article/3761104" + ], + "source": "MITRE", + "title": "UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909)" + }, + "related": [], + "uuid": "d82e5170-b9be-5a60-a2a1-8df658740639", + "value": "CERT-UA WinterVivern 2023" + }, { "description": "Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.", "meta": { @@ -59704,6 +63488,21 @@ "uuid": "84c0313a-bea1-44a7-9396-8e12437852d1", "value": "Mandiant Uncharmed May 1 2024" }, + { + "description": "Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved May 28, 2024.", + "meta": { + "date_accessed": "2024-05-28T00:00:00Z", + "date_published": "2024-05-01T00:00:00Z", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations" + ], + "source": "MITRE", + "title": "Uncharmed: Untangling Iran's APT42 Operations" + }, + "related": [], + "uuid": "7a5d86f3-5afe-5d01-adcd-9511879207a7", + "value": "Mandiant APT42 Operations 2024" + }, { "description": "Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.", "meta": { @@ -59735,12 +63534,12 @@ "value": "Checkpoint MosesStaff Nov 2021" }, { - "description": "Benjamin Cane. (2013, September 16). Understanding a little more about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.", + "description": "Benjamin Cane. (2013, September 16). Understanding a little more about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.", "meta": { - "date_accessed": "2021-02-25T00:00:00Z", + "date_accessed": "2024-09-25T00:00:00Z", "date_published": "2013-09-16T00:00:00Z", "refs": [ - "https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/" + "https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/" ], "source": "MITRE", "title": "Understanding a little more about /etc/profile and /etc/bashrc" @@ -60008,6 +63807,22 @@ "uuid": "521b79fe-bb7b-52fd-a899-b73e254027a5", "value": "3OHA double-fork 2022" }, + { + "description": "RussianPanda. (2023, July 4). Unleashing the Viper : A Technical Analysis of WhiteSnake Stealer. Retrieved October 14, 2024.", + "meta": { + "date_accessed": "2024-10-14T00:00:00Z", + "date_published": "2023-07-04T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://russianpanda.com/WhiteSnake-Stealer-Malware-Analysis" + ], + "source": "Tidal Cyber", + "title": "Unleashing the Viper : A Technical Analysis of WhiteSnake Stealer" + }, + "related": [], + "uuid": "e7b4651b-804a-47b7-bd74-341ac0e8a7a9", + "value": "WhiteSnake Stealer RussianPanda July 4 2023" + }, { "description": "Flashpoint. (2023, June 20). Unmasking Anonymous Sudan: Timeline of DDoS Attacks, Affiliations, and Motivations. Retrieved October 10, 2023.", "meta": { @@ -60024,6 +63839,21 @@ "uuid": "2e7060d2-f7bc-457e-a2e6-12897d503ea6", "value": "Flashpoint Anonymous Sudan Timeline" }, + { + "description": "Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2023-05-22T00:00:00Z", + "refs": [ + "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + ], + "source": "MITRE", + "title": "Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor" + }, + "related": [], + "uuid": "f3f16141-3420-5e72-b7d0-092bbd02f064", + "value": "Permiso GUI-Vil 2023" + }, { "description": "Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.", "meta": { @@ -60162,6 +63992,21 @@ "uuid": "547f1a4a-7e4a-461d-8c19-f4775cd60ac0", "value": "Kaspersky Careto" }, + { + "description": "Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.", + "meta": { + "date_accessed": "2024-08-09T00:00:00Z", + "date_published": "2024-03-06T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" + ], + "source": "MITRE", + "title": "Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence" + }, + "related": [], + "uuid": "f0b8be1d-5174-5172-8a0d-1628ddd09092", + "value": "trendmicro_redcurl" + }, { "description": "KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.", "meta": { @@ -60192,6 +64037,21 @@ "uuid": "d4e43b2c-a858-4285-984f-f59db5c657bd", "value": "Cymmetria Patchwork" }, + { + "description": "Zachary Reichert. (2024, August 19). Unveiling \"sedexp\": A Stealthy Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "date_published": "2024-08-19T00:00:00Z", + "refs": [ + "https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp" + ], + "source": "MITRE", + "title": "Unveiling \"sedexp\": A Stealthy Linux Malware Exploiting udev Rules" + }, + "related": [], + "uuid": "ddcfe3d2-804f-52d1-bd9c-02bac8ad9023", + "value": "Reichert aon sedexp 2024" + }, { "description": "Orange Cyberdefense. (2024, March 14). Unveiling the depths of residential proxies providers. Retrieved April 11, 2024.", "meta": { @@ -60284,6 +64144,38 @@ "uuid": "2c85d5e5-2cb2-4af7-8c33-8aaac3360706", "value": "Update.exe - LOLBAS Project" }, + { + "description": "Rui Ataide, Hermes Bojaxhi. (2024, August 14). Update from the Ransomware Trenches. Retrieved October 4, 2024.", + "meta": { + "date_accessed": "2024-10-04T00:00:00Z", + "date_published": "2024-08-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.guidepointsecurity.com/blog/update-from-the-ransomware-trenches/" + ], + "source": "Tidal Cyber", + "title": "Update from the Ransomware Trenches" + }, + "related": [], + "uuid": "414ff729-ba51-4c5a-a4ac-027e0d3c14df", + "value": "GuidePoint Security INC Ransomware August 14 2024" + }, + { + "description": "U.S. Federal Bureau of Investigation. (2024, October 10). Update on SVR Cyber Operations and Vulnerability Exploitation. Retrieved October 14, 2024.", + "meta": { + "date_accessed": "2024-10-14T00:00:00Z", + "date_published": "2024-10-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.ic3.gov/Media/News/2024/241010.pdf" + ], + "source": "Tidal Cyber", + "title": "Update on SVR Cyber Operations and Vulnerability Exploitation" + }, + "related": [], + "uuid": "63a76e88-2cd1-4cfa-bd96-4c1c3eebb39b", + "value": "FBI SVR Update October 10 2024" + }, { "description": "Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.", "meta": { @@ -60406,12 +64298,12 @@ "value": "SCILabs Malteiro Threat Overlap 2023" }, { - "description": "NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.", + "description": "NJCCIC. (2016, September 27). Ursnif. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2019-06-04T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2016-09-27T00:00:00Z", "refs": [ - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + "https://www.cyber.nj.gov/threat-landscape/malware/trojans/ursnif" ], "source": "MITRE", "title": "Ursnif" @@ -60451,6 +64343,21 @@ "uuid": "f05ecd1b-7844-4920-8c3a-0b30ff126ac9", "value": "Proofpoint August 29 2016" }, + { + "description": "Sergiu Gatlan. (2022, January 4). UScellular discloses data breach after billing system hack. Retrieved July 1, 2024.", + "meta": { + "date_accessed": "2024-07-01T00:00:00Z", + "date_published": "2022-01-04T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/" + ], + "source": "MITRE", + "title": "UScellular discloses data breach after billing system hack" + }, + "related": [], + "uuid": "d7befaea-1b35-54c3-a086-83b490f6a0a1", + "value": "Bleeping Computer US Cellular Hack 2022" + }, { "description": "US Coast Guard Cyber Command. (2022, August 17). US Coast Guard Cyber Command Maritime Cyber Alert 03-22. Retrieved October 9, 2023.", "meta": { @@ -60468,12 +64375,12 @@ "value": "US Coast Guard Killnet August 17 2022" }, { - "description": "USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved November 16, 2020.", + "description": "USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2020-11-16T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "date_published": "2020-10-01T00:00:00Z", "refs": [ - "https://twitter.com/CNMF_CyberAlert/status/1311743710997159953" + "https://x.com/CNMF_CyberAlert/status/1311743710997159953" ], "source": "MITRE", "title": "USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA" @@ -60658,6 +64565,20 @@ "uuid": "9a0e7054-9239-43cd-8e5f-aac8b665be72", "value": "Adlice Software IAT Hooks Oct 2014" }, + { + "description": "Man7. (n.d.). Usermod. Retrieved August 5, 2024.", + "meta": { + "date_accessed": "2024-08-05T00:00:00Z", + "refs": [ + "https://www.man7.org/linux/man-pages/man8/usermod.8.html" + ], + "source": "MITRE", + "title": "Usermod" + }, + "related": [], + "uuid": "e2b4b672-4828-56eb-95eb-2abfbf7f9195", + "value": "Linux Usermod" + }, { "description": "Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.", "meta": { @@ -60804,6 +64725,22 @@ "uuid": "d0eacad8-a6ff-4282-8fbc-d7984ad03b56", "value": "Cisco Umbrella DGA Brute Force" }, + { + "description": "Faith Stratton. (2024, March 13). Using Backup Utilities for Data Exfiltration . Retrieved October 4, 2024.", + "meta": { + "date_accessed": "2024-10-04T00:00:00Z", + "date_published": "2024-03-13T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.huntress.com/blog/using-backup-utilities-for-data-exfiltration" + ], + "source": "Tidal Cyber", + "title": "Using Backup Utilities for Data Exfiltration" + }, + "related": [], + "uuid": "e3931ba7-24de-4283-9941-fe927a75fb5e", + "value": "Www.huntress.com March 13 2024" + }, { "description": "Graeber, M. (2016, September 8). Using Device Guard to Mitigate Against Device Guard Bypasses. Retrieved September 13, 2016.", "meta": { @@ -62183,6 +66120,22 @@ "uuid": "b4362602-faf0-5b28-a147-b3153da1903f", "value": "NIST Web Bug" }, + { + "description": "Marc N; Sekoia TDR. (2024, September 19). WebDAV-as-a-Service Uncovering the infrastructure behind Emmenhtal loader distribution. Retrieved September 20, 2024.", + "meta": { + "date_accessed": "2024-09-20T00:00:00Z", + "date_published": "2024-09-19T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.sekoia.io/webdav-as-a-service-uncovering-the-infrastructure-behind-emmenhtal-loader-distribution/" + ], + "source": "Tidal Cyber", + "title": "WebDAV-as-a-Service Uncovering the infrastructure behind Emmenhtal loader distribution" + }, + "related": [], + "uuid": "df9ff358-4d1e-4094-92cd-4703c53a384c", + "value": "Sekoia.io Blog September 19 2024" + }, { "description": "Stevens, D. (2017, November 13). WebDAV Traffic To Malicious Sites. Retrieved December 21, 2017.", "meta": { @@ -62273,12 +66226,12 @@ "value": "PWC WellMess C2 August 2020" }, { - "description": "Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.", + "description": "Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.", "meta": { - "date_accessed": "2019-04-17T00:00:00Z", + "date_accessed": "2024-09-25T00:00:00Z", "date_published": "2018-09-10T00:00:00Z", "refs": [ - "https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" + "https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" ], "source": "MITRE", "title": "We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan" @@ -62287,6 +66240,20 @@ "uuid": "d316c581-646d-48e7-956e-34e2f957c67d", "value": "Cofense Astaroth Sept 2018" }, + { + "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", + "meta": { + "date_accessed": "2021-09-14T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" + ], + "source": "MITRE", + "title": "wevtutil" + }, + "related": [], + "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", + "value": "Wevtutil Microsoft Documentation" + }, { "description": "Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.", "meta": { @@ -62302,20 +66269,6 @@ "uuid": "8896d802-96c6-4546-8a82-c1f7f2d71ea1", "value": "Microsoft wevtutil Oct 2017" }, - { - "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", - "meta": { - "date_accessed": "2021-09-14T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" - ], - "source": "MITRE", - "title": "wevtutil" - }, - "related": [], - "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", - "value": "Wevtutil Microsoft Documentation" - }, { "description": "LOLBAS. (2021, September 26). Wfc.exe. Retrieved December 4, 2023.", "meta": { @@ -62725,6 +66678,20 @@ "uuid": "c7670c6d-014b-4937-ac0f-9f2aec60e2d8", "value": "What is FormBook Malware? - Check Point Software" }, + { + "description": "fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.", + "meta": { + "date_accessed": "2024-07-10T00:00:00Z", + "refs": [ + "https://github.com/fatedier/frp" + ], + "source": "MITRE", + "title": "What is frp?" + }, + "related": [], + "uuid": "cc682467-1ad0-50d9-9d81-be84ed862df8", + "value": "FRP GitHub" + }, { "description": "grsecurity. (2017, December 12). What is grsecurity?. Retrieved December 20, 2017.", "meta": { @@ -62799,6 +66766,35 @@ "uuid": "3fc422e5-9a1d-5ac4-8e65-1df13d8a688e", "value": "Pastebin EchoSec" }, + { + "description": "Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September 27, 2024.", + "meta": { + "date_accessed": "2024-09-27T00:00:00Z", + "refs": [ + "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware" + ], + "source": "MITRE", + "title": "What is Polymorphic Malware?" + }, + "related": [], + "uuid": "1918a3fe-b7a2-5420-8671-f602d58566fd", + "value": "polymorphic-blackberry" + }, + { + "description": "SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples and Challenges. Retrieved September 27, 2024.", + "meta": { + "date_accessed": "2024-09-27T00:00:00Z", + "date_published": "2023-03-18T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware" + ], + "source": "MITRE", + "title": "What is Polymorphic Malware? Examples and Challenges" + }, + "related": [], + "uuid": "cd7a1320-3bdd-5b26-8d6d-2e2897231dcb", + "value": "polymorphic-sentinelone" + }, { "description": "Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.", "meta": { @@ -62828,6 +66824,35 @@ "uuid": "7eaa0fa8-953a-482e-8f6b-02607e928525", "value": "TechNet RPC" }, + { + "description": "Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "refs": [ + "https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud" + ], + "source": "MITRE", + "title": "What is SMS Pumping Fraud?" + }, + "related": [], + "uuid": "2a75c6ae-b7d1-5af4-b647-7ac6cb63e95a", + "value": "Twilio SMS Pumping Fraud" + }, + { + "description": "Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to Stop It. Retrieved September 25, 2024.", + "meta": { + "date_accessed": "2024-09-25T00:00:00Z", + "date_published": "2024-04-10T00:00:00Z", + "refs": [ + "https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions" + ], + "source": "MITRE", + "title": "What Is SMS Pumping Fraud and How to Stop It" + }, + "related": [], + "uuid": "fa3ae7e9-afbb-5aac-bbf7-e76e9425b01f", + "value": "Twilio SMS Pumping" + }, { "description": "Apple. (2014, April 9). What Is the I/O Kit?. Retrieved September 24, 2021.", "meta": { @@ -63052,6 +67077,20 @@ "uuid": "dbdc2009-a468-439b-bd96-e6153b3fb8a1", "value": "Trend Micro When Phishing Starts from the Inside 2017" }, + { + "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019", + "meta": { + "date_accessed": "2019-10-22T00:00:00Z", + "refs": [ + "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + ], + "source": "MITRE", + "title": "When The Lights Went Out" + }, + "related": [], + "uuid": "7f0acd33-602e-5f07-a1ae-a87e3c8f2eb5", + "value": "Booz Allen Hamilton" + }, { "description": "Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved December 20, 2017.", "meta": { @@ -63126,12 +67165,12 @@ "value": "Cybereason WhisperGate February 2022" }, { - "description": "Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved March 31, 2023.", + "description": "Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024.", "meta": { - "date_accessed": "2023-03-31T00:00:00Z", + "date_accessed": "2024-09-16T00:00:00Z", "date_published": "2020-01-28T00:00:00Z", "refs": [ - "https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine" + "https://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine" ], "source": "MITRE", "title": "WhisperGate Malware Corrupts Computers in Ukraine" @@ -63421,6 +67460,20 @@ "uuid": "13ac05f8-f2a9-4243-8039-aff9ee1d5fc6", "value": "Wikipedia Exe Compression" }, + { + "description": "William Largent. (2018, June 06) VPNFilter Update - VPNFilter exploits endpoints, targets new devices. Retrieved March 28, 2019", + "meta": { + "date_accessed": "2019-03-28T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" + ], + "source": "MITRE", + "title": "William Largent June 2018" + }, + "related": [], + "uuid": "ccc34a5f-e17d-5b4c-84cf-ccff3ff9d845", + "value": "William Largent June 2018" + }, { "description": "Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020.", "meta": { @@ -63571,11 +67624,11 @@ "value": "Windows Commands JPCERT" }, { - "description": "Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.", + "description": "Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2015-12-17T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "refs": [ - "http://www.ampliasecurity.com/research/wcefaq.html" + "https://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html" ], "source": "MITRE", "title": "Windows Credentials Editor (WCE) F.A.Q." @@ -63629,6 +67682,21 @@ "uuid": "ce40e997-d04b-49a6-8838-13205c54243a", "value": "PassLib mscache" }, + { + "description": "Secure Team - Information Assurance. (2023, January 8). Windows Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.", + "meta": { + "date_accessed": "2024-07-08T00:00:00Z", + "date_published": "2023-01-08T00:00:00Z", + "refs": [ + "https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/" + ], + "source": "MITRE", + "title": "Windows Error Reporting Tool Abused to Load Malware" + }, + "related": [], + "uuid": "930ca682-03e0-57e7-a1ec-5a3186f0ff64", + "value": "Secure Team - Scriptrunner.exe" + }, { "description": "Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.", "meta": { @@ -63804,21 +67872,6 @@ "uuid": "20ec94d1-4a5c-43f5-bb65-f3ea965d2b6e", "value": "TechNet PowerShell" }, - { - "description": "McFarland, R. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", - "meta": { - "date_accessed": "2018-08-10T00:00:00Z", - "date_published": "2018-01-26T00:00:00Z", - "refs": [ - "https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/" - ], - "source": "MITRE", - "title": "Windows Privilege Escalation Guide" - }, - "related": [], - "uuid": "c52945dc-eb20-4e69-8f8e-a262f33c244c", - "value": "SploitSpren Windows Priv Jan 2018" - }, { "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", "meta": { @@ -63834,6 +67887,21 @@ "uuid": "185154f2-5f2e-48bf-b609-991e9d6a037b", "value": "Windows Privilege Escalation Guide" }, + { + "description": "McFarland, R. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", + "meta": { + "date_accessed": "2018-08-10T00:00:00Z", + "date_published": "2018-01-26T00:00:00Z", + "refs": [ + "https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/" + ], + "source": "MITRE", + "title": "Windows Privilege Escalation Guide" + }, + "related": [], + "uuid": "c52945dc-eb20-4e69-8f8e-a262f33c244c", + "value": "SploitSpren Windows Priv Jan 2018" + }, { "description": "HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018.", "meta": { @@ -63924,11 +67992,11 @@ "value": "Cylance Reg Persistence Sept 2013" }, { - "description": "Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014.", + "description": "Microsoft. (n.d.). Windows Remote Management. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2014-11-12T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "refs": [ - "http://msdn.microsoft.com/en-us/library/aa384426" + "https://learn.microsoft.com/en-us/windows/win32/winrm/portal" ], "source": "MITRE", "title": "Windows Remote Management" @@ -64175,11 +68243,11 @@ "value": "Winexe Github Sept 2013" }, { - "description": "Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.", + "description": "Microsoft. (n.d.). WinExec function. Retrieved September 12, 2024.", "meta": { - "date_accessed": "2014-12-05T00:00:00Z", + "date_accessed": "2024-09-12T00:00:00Z", "refs": [ - "http://msdn.microsoft.com/en-us/library/ms687393" + "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec" ], "source": "MITRE", "title": "WinExec function" @@ -64280,6 +68348,51 @@ "uuid": "86107810-8a1d-4c13-80f0-c1624143d057", "value": "winrm.vbs - LOLBAS Project" }, + { + "description": "Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2021-04-27T00:00:00Z", + "refs": [ + "https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/" + ], + "source": "MITRE", + "title": "Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages" + }, + "related": [], + "uuid": "5f52274f-9d02-5e3c-a1da-48eee0804459", + "value": "DomainTools WinterVivern 2021" + }, + { + "description": "Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2023-10-25T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/" + ], + "source": "MITRE", + "title": "Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers" + }, + "related": [], + "uuid": "7def830a-22d8-55b6-a1e5-a6a63a8bbd5a", + "value": "ESET WinterVivern 2023" + }, + { + "description": "Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2023-03-16T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" + ], + "source": "MITRE", + "title": "Winter Vivern | Uncovering a Wave of Global Espionage" + }, + "related": [], + "uuid": "f1b6b3b8-2068-5d80-a318-c77aaa9417c1", + "value": "SentinelOne WinterVivern 2023" + }, { "description": "Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018.", "meta": { @@ -64340,6 +68453,21 @@ "uuid": "be6629ef-e7c6-411c-9bd2-34e59062cadd", "value": "Dell Wiper" }, + { + "description": "Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin Attack. Retrieved September 17, 2024.", + "meta": { + "date_accessed": "2024-09-17T00:00:00Z", + "date_published": "2021-08-08T00:00:00Z", + "refs": [ + "https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59" + ], + "source": "MITRE", + "title": "Wireless Security— Evil Twin Attack" + }, + "related": [], + "uuid": "af6cfe7c-a757-51e2-8e4f-52e2ca28ded0", + "value": "medium evil twin" + }, { "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.", "meta": { @@ -64534,6 +68662,20 @@ "uuid": "42cfa3eb-7a8c-482e-b8d8-78ae5c30b843", "value": "WorkFolders.exe - LOLBAS Project" }, + { + "description": "AWS. (n.d.). Working with a DB instance in a VPC. Retrieved September 24, 2024.", + "meta": { + "date_accessed": "2024-09-24T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html" + ], + "source": "MITRE", + "title": "Working with a DB instance in a VPC" + }, + "related": [], + "uuid": "c38d6dfc-e866-5b81-b6e9-46106637f142", + "value": "AWS DB VPC" + }, { "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", "meta": { @@ -64608,6 +68750,21 @@ "uuid": "5628ecd9-48da-4a50-94ba-4b70abe56089", "value": "Writing Bad Malware for OSX" }, + { + "description": "SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.", + "meta": { + "date_accessed": "2024-06-05T00:00:00Z", + "date_published": "2018-03-14T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds" + ], + "source": "MITRE", + "title": "Wrong Bind Configuration Exposes the Complete List of Russian TLD's to the Internet" + }, + "related": [], + "uuid": "9f3b77a1-a60d-5ede-af9c-2684a75c4bb9", + "value": "Trails-DNS" + }, { "description": "LOLBAS. (2018, May 25). Wscript.exe. Retrieved December 4, 2023.", "meta": { @@ -64931,21 +69088,6 @@ "uuid": "f97537c2-f080-4438-8728-4d2a91388132", "value": "Red Canary Yellow Cockatoo June 2022" }, - { - "description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.", - "meta": { - "date_accessed": "2024-03-29T00:00:00Z", - "date_published": "2023-10-25T00:00:00Z", - "refs": [ - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" - ], - "source": "MITRE", - "title": "Yellow Liderc ships its scripts and delivers IMAPLoader malware" - }, - "related": [], - "uuid": "b6544ea7-befa-53ae-95fa-5c227c848c46", - "value": "PwC Yellow Liderc" - }, { "description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved October 25, 2023.", "meta": { @@ -64962,6 +69104,36 @@ "uuid": "cbeaf9b5-865f-44a1-a913-9eec28d7a5ff", "value": "PwC Yellow Liderc October 25 2023" }, + { + "description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.", + "meta": { + "date_accessed": "2024-08-14T00:00:00Z", + "date_published": "2023-10-25T00:00:00Z", + "refs": [ + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" + ], + "source": "MITRE", + "title": "Yellow Liderc ships its scripts and delivers IMAPLoader malware" + }, + "related": [], + "uuid": "e473a371-2f34-5391-8888-42082b0a1904", + "value": "PWC Yellow Liderc 2023" + }, + { + "description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "date_published": "2023-10-25T00:00:00Z", + "refs": [ + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" + ], + "source": "MITRE", + "title": "Yellow Liderc ships its scripts and delivers IMAPLoader malware" + }, + "related": [], + "uuid": "b6544ea7-befa-53ae-95fa-5c227c848c46", + "value": "PwC Yellow Liderc" + }, { "description": "Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.", "meta": { diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json index 5b1a0f6..d082189 100644 --- a/clusters/tidal-software.json +++ b/clusters/tidal-software.json @@ -86,10 +86,6 @@ ] }, "related": [ - { - "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", - "type": "used-by" - }, { "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", "type": "used-by" @@ -98,14 +94,26 @@ "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, + { + "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", + "type": "used-by" + }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "type": "used-by" + }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" @@ -156,13 +164,17 @@ "description": "[AADInternals](https://app.tidalcyber.com/software/3d33fbf5-c21e-4587-ba31-9aeec3cc10c0) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[[AADInternals Github](https://app.tidalcyber.com/references/643d3947-c0ec-47c4-bb58-5e546084433c)][[AADInternals Documentation](https://app.tidalcyber.com/references/320231a1-4dbe-4eaa-b14d-48de738ba697)]", "meta": { "platforms": [ - "Azure AD", + "Identity Provider", + "Office Suite", "Office 365", - "Windows" + "Google Workspace", + "Windows", + "Azure AD" ], "software_attack_id": "S0677", "source": "MITRE", "tags": [ + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", "cd1b5d44-226e-4405-8985-800492cf2865" ], @@ -174,6 +186,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" } ], "uuid": "3d33fbf5-c21e-4587-ba31-9aeec3cc10c0", @@ -369,10 +385,6 @@ ] }, "related": [ - { - "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", - "type": "used-by" - }, { "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" @@ -382,41 +394,61 @@ "type": "used-by" }, { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "type": "used-by" + }, + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, - { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", - "type": "used-by" - }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, - { - "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", - "type": "used-by" - }, - { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", - "type": "used-by" - }, - { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", - "type": "used-by" - }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" @@ -428,14 +460,6 @@ { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" - }, - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, - { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", - "type": "used-by" } ], "uuid": "70559096-2a6b-4388-97e6-c2b16f3be78e", @@ -485,6 +509,10 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" + }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" } ], "uuid": "c227bea1-9996-49d6-97ca-10a2fc156747", @@ -500,6 +528,7 @@ "software_attack_id": "S3024", "source": "Tidal Cyber", "tags": [ + "da180b04-2897-4416-a904-9d7e336d9ee4", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -536,10 +565,18 @@ "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, + { + "dest-uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" @@ -575,10 +612,6 @@ ] }, "related": [ - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" @@ -591,6 +624,10 @@ "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" @@ -837,6 +874,10 @@ ] }, "related": [ + { + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", + "type": "used-by" + }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" @@ -961,30 +1002,6 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, - { - "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", - "type": "used-by" - }, - { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", - "type": "used-by" - }, - { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", - "type": "used-by" - }, - { - "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", - "type": "used-by" - }, - { - "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", - "type": "used-by" - }, - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -993,6 +1010,10 @@ "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, + { + "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -1005,6 +1026,14 @@ "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" @@ -1021,10 +1050,26 @@ "dest-uuid": "00b45c13-d165-44d0-ad6b-99787d2a7ce3", "type": "used-by" }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, + { + "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "type": "used-by" + }, + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" + }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" @@ -1041,6 +1086,31 @@ "uuid": "922447fd-f41e-4bcf-b479-88137c81099c", "value": "AnyDesk" }, + { + "description": "[Apostle](https://app.tidalcyber.com/software/f525a28f-2500-585c-a1c7-063ecec8376e) is malware that has functioned as both a wiper and, in more recent versions, as ransomware. [Apostle](https://app.tidalcyber.com/software/f525a28f-2500-585c-a1c7-063ecec8376e) is written in .NET and shares various programming and functional overlaps with [IPsec Helper](https://app.tidalcyber.com/software/e6fa005e-4690-5336-8a03-5f667ea38f3f).[[SentinelOne Agrius 2021](https://app.tidalcyber.com/references/b5b433a1-5d12-5644-894b-c42d995c9ba5)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1133", + "source": "MITRE", + "tags": [ + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2e621fc5-dea4-4cb9-987e-305845986cd3" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "type": "used-by" + } + ], + "uuid": "f525a28f-2500-585c-a1c7-063ecec8376e", + "value": "Apostle" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Tool used for installation of AppX/MSIX applications on Windows 10\n\n**Author:** Wade Hickey\n\n**Paths:**\n* C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\\AppInstaller.exe\n\n**Resources:**\n* [https://twitter.com/notwhickey/status/1333900137232523264](https://twitter.com/notwhickey/status/1333900137232523264)\n\n**Detection:**\n* Sigma: [dns_query_win_lolbin_appinstaller.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml)[[AppInstaller.exe - LOLBAS Project](/references/9a777e7c-e76c-465c-8b45-67503e715f7e)]", "meta": { @@ -1094,7 +1164,6 @@ "description": "[AppleSeed](https://app.tidalcyber.com/software/9df2e42e-b454-46ea-b50d-2f7d999f3d42) is a backdoor that has been used by [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) to target South Korean government, academic, and commercial targets since at least 2021.[[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)]", "meta": { "platforms": [ - "Android", "Windows" ], "software_attack_id": "S0622", @@ -1146,8 +1215,8 @@ "software_attack_id": "S3001", "source": "Tidal Cyber", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "a2e000da-8181-4327-bacd-32013dbd3654", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], @@ -1198,14 +1267,6 @@ ] }, "related": [ - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", - "type": "used-by" - }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -1214,9 +1275,17 @@ "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, + { + "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", + "type": "used-by" + }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" } ], "uuid": "45b51950-6190-4572-b1a2-7c69d865251e", @@ -1259,18 +1328,22 @@ ] }, "related": [ - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, + { + "dest-uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "type": "used-by" + }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" @@ -1324,10 +1397,6 @@ ] }, "related": [ - { - "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", - "type": "used-by" - }, { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" @@ -1335,6 +1404,10 @@ { "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", "type": "used-by" + }, + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" } ], "uuid": "d587efff-4699-51c7-a4cc-bdbd1b302ed4", @@ -1433,22 +1506,14 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", - "type": "used-by" - }, - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" @@ -1457,10 +1522,6 @@ "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, - { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", - "type": "used-by" - }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" @@ -1468,6 +1529,18 @@ { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" + }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" } ], "uuid": "f8113a9f-a706-46df-8370-a9cef1c75f30", @@ -1669,6 +1742,7 @@ "software_attack_id": "S1053", "source": "MITRE", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "c3779a84-8132-4c62-be2f-9312ad41c273", "ce9f1048-09c1-49b0-a109-dd604afbf3cd", @@ -1790,6 +1864,8 @@ "software_attack_id": "S0638", "source": "MITRE", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "64d3f7d8-30b7-4b03-bee2-a6029672216c", "375983b3-6e87-4281-99e2-1561519dd17b", "3ed2343c-a29c-42e2-8259-410381164c6a", @@ -1801,8 +1877,7 @@ "fde4c246-7d2d-4d53-938b-44651cf273f1", "964c2590-4b52-48c6-afff-9a6d72e68908", "5e7433ad-a894-4489-93bc-41e90da90019", - "7e7b0c67-bb85-4996-a289-da0e792d7172", - "a2e000da-8181-4327-bacd-32013dbd3654" + "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" @@ -2309,6 +2384,30 @@ "uuid": "a114a498-fcfd-4e0a-9d1e-e26750d71af8", "value": "BendyBear" }, + { + "description": "[BFG Agonizer](https://app.tidalcyber.com/software/99005f44-fb72-5c19-80c6-3b660daf9b11) is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the [Agrius](https://app.tidalcyber.com/groups/36c70cf2-c7d5-5926-8155-5d3a63e3e55a) threat actor.[[Unit42 Agrius 2023](https://app.tidalcyber.com/references/70fb43bd-f8e1-56a5-a0e9-884e85f16b10)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1136", + "source": "MITRE", + "tags": [ + "2e621fc5-dea4-4cb9-987e-305845986cd3" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "type": "used-by" + } + ], + "uuid": "99005f44-fb72-5c19-80c6-3b660daf9b11", + "value": "BFG Agonizer" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Background Information Utility included with SysInternals Suite\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* No fixed path\n\n**Resources:**\n* [https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/](https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_bginfo.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[Bginfo.exe - LOLBAS Project](/references/ca1eaac2-7449-4a76-bec2-9dc5971fd808)]", "meta": { @@ -2481,21 +2580,13 @@ }, "related": [ { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "dest-uuid": "753c7cd1-ca9f-4632-bbd2-fd55b9e70b10", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, - { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", - "type": "used-by" - }, - { - "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", - "type": "used-by" - }, { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" @@ -2504,17 +2595,33 @@ "dest-uuid": "275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb", "type": "used-by" }, - { - "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", - "type": "used-by" - }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "type": "used-by" + }, + { + "dest-uuid": "f0dab388-1641-50aa-b0b2-6bdb816e0490", + "type": "used-by" + }, + { + "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", + "type": "used-by" } ], "uuid": "52a20d3d-1edd-4f17-87f0-b77c67d260b4", @@ -2529,6 +2636,7 @@ "software_attack_id": "S1070", "source": "MITRE", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "da5af5bf-d4f3-4bbb-9638-57ea2dc2c776", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "d903e38b-600d-4736-9e3b-cf1a6e436481", @@ -2566,6 +2674,7 @@ "software_attack_id": "S1068", "source": "MITRE", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "d5248609-d9ed-4aad-849a-aa0476f85dea", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", @@ -2578,14 +2687,6 @@ ] }, "related": [ - { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, - { - "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", - "type": "used-by" - }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -2594,9 +2695,21 @@ "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" + }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" } ], "uuid": "691369e5-ef74-5ff9-bc20-34efeb4b6c5b", @@ -2615,6 +2728,10 @@ ] }, "related": [ + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -2622,10 +2739,6 @@ { "dest-uuid": "5f083251-f5dc-459a-abfc-47a1aa7f5094", "type": "used-by" - }, - { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", - "type": "used-by" } ], "uuid": "e85e2fca-9347-4448-bfc1-342f29d5d6a1", @@ -2710,10 +2823,11 @@ "software_attack_id": "S3139", "source": "Tidal Cyber", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "2917207f-aa63-4c4a-b2d2-be7e16d1f25c", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", - "a2e000da-8181-4327-bacd-32013dbd3654", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -2784,7 +2898,7 @@ }, "related": [ { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { @@ -2792,23 +2906,7 @@ "type": "used-by" }, { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", - "type": "used-by" - }, - { - "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", - "type": "used-by" - }, - { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", - "type": "used-by" - }, - { - "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", - "type": "used-by" - }, - { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { @@ -2816,12 +2914,36 @@ "type": "used-by" }, { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" + }, + { + "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", + "type": "used-by" + }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "type": "used-by" + }, + { + "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "type": "used-by" + }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" } ], "uuid": "72658763-8077-451e-8572-38858f8cacf3", @@ -2980,6 +3102,25 @@ "uuid": "d3e46011-3433-426c-83b3-61c2576d5f71", "value": "BoxCaon" }, + { + "description": "[BPFDoor](https://app.tidalcyber.com/software/1c75c6dc-7b74-5b15-ae9a-59f9cc98e662) is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, [BPFDoor](https://app.tidalcyber.com/software/1c75c6dc-7b74-5b15-ae9a-59f9cc98e662) is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. [BPFDoor](https://app.tidalcyber.com/software/1c75c6dc-7b74-5b15-ae9a-59f9cc98e662) supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.[[Sandfly BPFDoor 2022](https://app.tidalcyber.com/references/01c8337f-614b-5f63-870f-5c880b390922)][[Deep Instinct BPFDoor 2023](https://app.tidalcyber.com/references/c246b4da-75fb-5b41-ba9c-c0eb1b261e37)]", + "meta": { + "platforms": [ + "Linux" + ], + "software_attack_id": "S1161", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "1c75c6dc-7b74-5b15-ae9a-59f9cc98e662", + "value": "BPFDoor" + }, { "description": "[Brave Prince](https://app.tidalcyber.com/software/51b27e2c-c737-4006-a657-195ea1a1f4f0) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263), and was seen along with [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263) and [RunningRAT](https://app.tidalcyber.com/software/e8afda1f-fa83-4fc3-b6fb-7d5daca7173f) in operations surrounding the 2018 Pyeongchang Winter Olympics. [[McAfee Gold Dragon](https://app.tidalcyber.com/references/4bdfa92b-cbbd-43e6-aa3e-422561ff8d7a)]", "meta": { @@ -3130,6 +3271,10 @@ ] }, "related": [ + { + "dest-uuid": "b47551ba-8036-5527-abba-fed787c854a5", + "type": "used-by" + }, { "dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799", "type": "used-by" @@ -3205,9 +3350,10 @@ "software_attack_id": "S3107", "source": "Tidal Cyber", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "83a25621-55a6-4b0d-be67-4905b6d3a1c6", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "a2e000da-8181-4327-bacd-32013dbd3654", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -3714,34 +3860,22 @@ ] }, "related": [ - { - "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", - "type": "used-by" - }, - { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", - "type": "used-by" - }, - { - "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", - "type": "used-by" - }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, + { + "dest-uuid": "753c7cd1-ca9f-4632-bbd2-fd55b9e70b10", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, + { + "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -3751,13 +3885,17 @@ "type": "used-by" }, { - "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, + { + "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", + "type": "used-by" + }, { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" @@ -3766,6 +3904,18 @@ "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", + "type": "used-by" + }, + { + "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", + "type": "used-by" + }, { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" @@ -3896,6 +4046,25 @@ "uuid": "2fd6f564-918e-4ee7-920a-2b4be858d11a", "value": "Cherry Picker" }, + { + "description": "[CHIMNEYSWEEP](https://app.tidalcyber.com/software/966f4b5c-e5f3-598e-9ac0-a5174c56827b) is a backdoor malware that was deployed during [HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) along with [ROADSWEEP](https://app.tidalcyber.com/software/5452ec27-0deb-5f29-bed9-5ee838040438) ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.[[Mandiant ROADSWEEP August 2022](https://app.tidalcyber.com/references/0d81ec58-2e12-5824-aa53-feb0d2260f30)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1149", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "966f4b5c-e5f3-598e-9ac0-a5174c56827b", + "value": "CHIMNEYSWEEP" + }, { "description": "[China Chopper](https://app.tidalcyber.com/software/723c5ab7-23ca-46f2-83bb-f1d1e550122c) is a [Web Shell](https://app.tidalcyber.com/technique/05a5318f-476d-44c1-8a85-9466295d31dd) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.[[Lee 2013](https://app.tidalcyber.com/references/6d1e2b0a-fed2-490b-be25-6580dfb7d6aa)] It has been used by several threat groups.[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)][[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)][[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)][[Rapid7 HAFNIUM Mar 2021](https://app.tidalcyber.com/references/cf05d229-c2ba-54f2-a79d-4b7c9185c663)]", "meta": { @@ -3914,11 +4083,11 @@ }, "related": [ { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { @@ -3926,15 +4095,7 @@ "type": "used-by" }, { - "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", - "type": "used-by" - }, - { - "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { @@ -3948,6 +4109,14 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, + { + "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", + "type": "used-by" } ], "uuid": "723c5ab7-23ca-46f2-83bb-f1d1e550122c", @@ -4080,7 +4249,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5281", + "software_attack_id": "S3386", "source": "Tidal Cyber", "tags": [ "9775efc2-e8ac-47de-bd2a-bb08202b48fd", @@ -4131,7 +4300,8 @@ "software_attack_id": "S3164", "source": "Tidal Cyber", "tags": [ - "a2e000da-8181-4327-bacd-32013dbd3654", + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -4262,10 +4432,6 @@ ] }, "related": [ - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" @@ -4273,6 +4439,10 @@ { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" + }, + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" } ], "uuid": "5321aa75-924c-47ae-b97a-b36f023abf2a", @@ -4343,11 +4513,11 @@ }, "related": [ { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { - "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { @@ -4359,7 +4529,11 @@ "type": "used-by" }, { - "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" + }, + { + "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { @@ -4367,7 +4541,11 @@ "type": "used-by" }, { - "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", + "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", + "type": "used-by" + }, + { + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { @@ -4394,10 +4572,6 @@ "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, - { - "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", - "type": "used-by" - }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" @@ -4475,7 +4649,7 @@ "type": "used-by" }, { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", + "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" } ], @@ -4492,6 +4666,10 @@ "software_attack_id": "S3201", "source": "Tidal Cyber", "tags": [ + "51006447-540b-4b9d-bdba-1cbff8038ae9", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "15787198-6c8b-4f79-bf50-258d55072fee", "96bff827-e51f-47de-bde6-d2eec0f99767", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" @@ -4603,62 +4781,14 @@ ] }, "related": [ + { + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "type": "used-by" + }, { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, - { - "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", - "type": "used-by" - }, - { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", - "type": "used-by" - }, - { - "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", - "type": "used-by" - }, - { - "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, - { - "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", - "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", - "type": "used-by" - }, - { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", - "type": "used-by" - }, - { - "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", - "type": "used-by" - }, - { - "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", - "type": "used-by" - }, - { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", - "type": "used-by" - }, - { - "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", - "type": "used-by" - }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -4668,11 +4798,15 @@ "type": "used-by" }, { - "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", + "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" }, { - "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + }, + { + "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { @@ -4680,21 +4814,13 @@ "type": "used-by" }, { - "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, - { - "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", - "type": "used-by" - }, - { - "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", - "type": "used-by" - }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" @@ -4703,16 +4829,108 @@ "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, + { + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "type": "used-by" + }, + { + "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", + "type": "used-by" + }, { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, + { + "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", + "type": "used-by" + }, + { + "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", + "type": "used-by" + }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + }, + { + "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", + "type": "used-by" + }, + { + "dest-uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "type": "used-by" + }, + { + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "type": "used-by" + }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { - "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + }, + { + "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", + "type": "used-by" + }, + { + "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", + "type": "used-by" + }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", + "type": "used-by" + }, + { + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + }, + { + "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", + "type": "used-by" + }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, + { + "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "type": "used-by" + }, + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" + }, + { + "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", + "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { @@ -4728,31 +4946,7 @@ "type": "used-by" }, { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", - "type": "used-by" - }, - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, - { - "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", - "type": "used-by" - }, - { - "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", - "type": "used-by" - }, - { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", - "type": "used-by" - }, - { - "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { @@ -4935,11 +5129,11 @@ }, "related": [ { - "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" } ], @@ -5018,6 +5212,7 @@ "software_attack_id": "S0591", "source": "MITRE", "tags": [ + "6b4ccbb1-d9a9-4ca3-9178-7d332c2c8a14", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -5041,7 +5236,7 @@ }, "related": [ { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { @@ -5052,12 +5247,16 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { - "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" }, { @@ -5065,16 +5264,12 @@ "type": "used-by" }, { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" - }, - { - "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", - "type": "used-by" } ], "uuid": "6f9bb24d-cce2-49de-bedd-1849d9bde7a0", @@ -5299,6 +5494,32 @@ "uuid": "ea9e2d19-89fe-4039-a1e0-467b14554c6f", "value": "CostaBricks" }, + { + "description": "[Covenant](https://app.tidalcyber.com/software/c9cea5ac-b426-5484-a228-6eeffa173611) is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as [HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) during operations. [Covenant](https://app.tidalcyber.com/software/c9cea5ac-b426-5484-a228-6eeffa173611) functions through a central listener managing multiple deployed \"Grunts\" that communicate back to the controller.[[Github Covenant](https://app.tidalcyber.com/references/b717c3ae-8ae0-53c9-90ba-a34cf7694f3c)][[Microsoft HAFNIUM March 2020](https://app.tidalcyber.com/references/6a986c46-79a3-49c6-94d2-d9b1f5db08f3)]", + "meta": { + "platforms": [ + "macOS", + "Linux", + "Windows" + ], + "software_attack_id": "S1155", + "source": "MITRE", + "tags": [ + "e81ba503-60b0-4b64-8f20-ef93e7783796" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", + "type": "used-by" + } + ], + "uuid": "c9cea5ac-b426-5484-a228-6eeffa173611", + "value": "Covenant" + }, { "description": "[CozyCar](https://app.tidalcyber.com/software/c2353daa-fd4c-44e1-8013-55400439965a) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { @@ -5332,6 +5553,7 @@ "software_attack_id": "S0488", "source": "MITRE", "tags": [ + "f683d62f-15d4-43c0-a8a3-7d6310e552f3", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", @@ -5348,7 +5570,7 @@ }, "related": [ { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { @@ -5356,7 +5578,7 @@ "type": "used-by" }, { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { @@ -5366,6 +5588,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "type": "used-by" } ], "uuid": "47e710b4-1397-47cf-a979-20891192f313", @@ -5424,6 +5650,8 @@ "meta": { "platforms": [ "Office 365", + "Google Workspace", + "Office Suite", "Windows" ], "software_attack_id": "S1023", @@ -5691,6 +5919,25 @@ "uuid": "095064c6-144e-4935-b878-f82151bc08e4", "value": "Cuba" }, + { + "description": "[Cuckoo Stealer](https://app.tidalcyber.com/software/6e8c24c1-1cbd-5698-9a91-c3e0d937adf4) is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. [Cuckoo Stealer](https://app.tidalcyber.com/software/6e8c24c1-1cbd-5698-9a91-c3e0d937adf4) is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[[Kandji Cuckoo April 2024](https://app.tidalcyber.com/references/90c4e23a-e6e7-511d-911c-1f8b64253aff)][[SentinelOne Cuckoo Stealer May 2024](https://app.tidalcyber.com/references/b5e0add8-bda6-5cae-85c7-58f7cab1579c)]\n", + "meta": { + "platforms": [ + "macOS" + ], + "software_attack_id": "S1153", + "source": "MITRE", + "tags": [ + "4d767e87-4cf6-438a-927a-43d2d0beaab7" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "6e8c24c1-1cbd-5698-9a91-c3e0d937adf4", + "value": "Cuckoo Stealer" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** A host process that is used by custom shells when using Windows in Kiosk mode.\n\n**Author:** Wietze Beukema\n\n**Paths:**\n* C:\\Windows\\System32\\CustomShellHost.exe\n\n**Resources:**\n* [https://twitter.com/YoSignals/status/1381353520088113154](https://twitter.com/YoSignals/status/1381353520088113154)\n* [https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher)\n\n**Detection:**\n* IOC: CustomShellHost.exe is unlikely to run on normal workstations\n* Sigma: [proc_creation_win_lolbin_customshellhost.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml)[[CustomShellHost.exe - LOLBAS Project](/references/96324ab1-7eb8-42dc-b19a-fa1d9f85e239)]", "meta": { @@ -5714,7 +5961,7 @@ "value": "CustomShellHost" }, { - "description": "[Cyclops Blink](https://app.tidalcyber.com/software/68792756-7dbf-41fd-8d48-ac3cc2b52712) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.[[NCSC Cyclops Blink February 2022](https://app.tidalcyber.com/references/91ed6adf-f066-49e4-8ec7-1989bc6615a6)][[NCSC CISA Cyclops Blink Advisory February 2022](https://app.tidalcyber.com/references/bee6cf85-5cb9-4000-b82e-9e15aebfbece)][[Trend Micro Cyclops Blink March 2022](https://app.tidalcyber.com/references/64e9a24f-f386-4774-9874-063e0ebfb8e1)]", + "description": "[Cyclops Blink](https://app.tidalcyber.com/software/68792756-7dbf-41fd-8d48-ac3cc2b52712) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. [Cyclops Blink](https://app.tidalcyber.com/software/68792756-7dbf-41fd-8d48-ac3cc2b52712) is assessed to be a replacement for [VPNFilter](https://app.tidalcyber.com/software/b2ea039c-3cd4-54f4-a46f-9ee79fe6350b), a similar platform targeting network devices.[[NCSC Cyclops Blink February 2022](https://app.tidalcyber.com/references/91ed6adf-f066-49e4-8ec7-1989bc6615a6)][[NCSC CISA Cyclops Blink Advisory February 2022](https://app.tidalcyber.com/references/bee6cf85-5cb9-4000-b82e-9e15aebfbece)][[Trend Micro Cyclops Blink March 2022](https://app.tidalcyber.com/references/64e9a24f-f386-4774-9874-063e0ebfb8e1)]", "meta": { "platforms": [ "Network" @@ -5826,6 +6073,7 @@ "software_attack_id": "S1111", "source": "MITRE", "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "7b774e30-5065-41bd-85e2-e02d09e419ed", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], @@ -5837,6 +6085,10 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "type": "used-by" } ], "uuid": "39d81c48-8f7c-54cb-8fac-485598e31a55", @@ -6029,6 +6281,34 @@ "uuid": "e9533664-90c5-5b40-a40e-a69a2eda8bc9", "value": "DEADEYE" }, + { + "description": "[DEADWOOD](https://app.tidalcyber.com/software/787609d5-43b0-5c79-9b88-9788de1a5f6f) is wiper malware written in C++ using Boost libraries. [DEADWOOD](https://app.tidalcyber.com/software/787609d5-43b0-5c79-9b88-9788de1a5f6f) was first observed in an unattributed wiping event in Saudi Arabia in 2019, and has since been incorporated into [Agrius](https://app.tidalcyber.com/groups/36c70cf2-c7d5-5926-8155-5d3a63e3e55a) operations.[[SentinelOne Agrius 2021](https://app.tidalcyber.com/references/b5b433a1-5d12-5644-894b-c42d995c9ba5)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1134", + "source": "MITRE", + "tags": [ + "2e621fc5-dea4-4cb9-987e-305845986cd3" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "type": "used-by" + }, + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" + } + ], + "uuid": "787609d5-43b0-5c79-9b88-9788de1a5f6f", + "value": "DEADWOOD" + }, { "description": "[DealersChoice](https://app.tidalcyber.com/software/64dc5d44-2304-4875-b517-316ab98512c2) is a Flash exploitation framework used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). [[Sofacy DealersChoice](https://app.tidalcyber.com/references/ec157d0c-4091-43f5-85f1-a271c4aac1fc)]", "meta": { @@ -6130,6 +6410,33 @@ "uuid": "e8830cf3-53f3-4d15-858c-584589405fad", "value": "Defender Control" }, + { + "description": "Demodex is a rootkit observed during attacks linked to the GhostEmperor (AKA FamousSparrow and Salt Typhoon) China-backed cyberespionage group.[[Kaspersky September 30 2021](/references/8851f554-05c6-4fb0-807e-2ef0bc28e131)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3407", + "source": "Tidal Cyber", + "tags": [ + "1efd43ee-5752-49f2-99fe-e3441f126b00", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "753c7cd1-ca9f-4632-bbd2-fd55b9e70b10", + "type": "used-by" + } + ], + "uuid": "f484fae4-53ca-456b-89f1-3a583beacb9e", + "value": "Demodex" + }, { "description": "[Denis](https://app.tidalcyber.com/software/df4002d2-f557-4f95-af7a-9a4582fb7068) is a Windows backdoor and Trojan used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). [Denis](https://app.tidalcyber.com/software/df4002d2-f557-4f95-af7a-9a4582fb7068) shares several similarities to the [SOUNDBITE](https://app.tidalcyber.com/software/069538a5-3cb8-4eb4-9fbb-83867bb4d826) backdoor and has been used in conjunction with the [Goopy](https://app.tidalcyber.com/software/a75855fd-2b6b-43d8-99a5-2be03b544f34) backdoor.[[Cybereason Oceanlotus May 2017](https://app.tidalcyber.com/references/1ef3025b-d4a9-49aa-b744-2dbea10a0abf)]", "meta": { @@ -6198,6 +6505,10 @@ "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" @@ -6205,10 +6516,6 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" } ], "uuid": "9222aa77-922e-43c7-89ad-71067c428fb2", @@ -6544,11 +6851,11 @@ }, "related": [ { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" } ], @@ -6657,6 +6964,31 @@ "uuid": "e6160c55-1868-47bd-bec6-7becbf236bbb", "value": "Doki" }, + { + "description": "DomainPasswordSpray is an openly available GitHub project containing a PowerShell-based tool that can be used to conduct password spraying attacks.[[U.S. CISA Iranian Actors Critical Infrastructure October 16 2024](/references/a70a4487-eaae-43b3-bfe0-0677fd911959)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3404", + "source": "Tidal Cyber", + "tags": [ + "51006447-540b-4b9d-bdba-1cbff8038ae9", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "15787198-6c8b-4f79-bf50-258d55072fee", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" + ], + "type": [ + "tool" + ] + }, + "related": [], + "uuid": "49a5c24f-98f5-47ea-8e29-7ff723883341", + "value": "DomainPasswordSpray" + }, { "description": "[Donut](https://app.tidalcyber.com/software/40d25a38-91f4-4e07-bb97-8866bed8e44f) is an open source framework used to generate position-independent shellcode.[[Donut Github](https://app.tidalcyber.com/references/5f28c41f-6903-4779-93d4-3de99e031b70)][[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)] [Donut](https://app.tidalcyber.com/software/40d25a38-91f4-4e07-bb97-8866bed8e44f) generated code has been used by multiple threat actors to inject and load malicious payloads into memory.[[NCC Group WastedLocker June 2020](https://app.tidalcyber.com/references/1520f2e5-2689-428f-9ee4-05e153a52381)]", "meta": { @@ -7061,6 +7393,54 @@ "uuid": "d4a664e5-9819-4f33-8b2b-e6f8e6a64999", "value": "Duqu" }, + { + "description": "[DUSTPAN](https://app.tidalcyber.com/software/78454d3f-fa12-5b6f-9390-6412064d7c8d) is an in-memory dropper written in C/C++ used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) since 2021 that decrypts and executes an embedded payload.[[Google Cloud APT41 2024](https://app.tidalcyber.com/references/33bb9f8a-db9d-5dda-b4ae-2ba7fee0a0ae)][[Google Cloud APT41 2022](https://app.tidalcyber.com/references/c65cfdde-bc7f-5cd2-b1ee-066b7cc2eb6a)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1158", + "source": "MITRE", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + } + ], + "uuid": "78454d3f-fa12-5b6f-9390-6412064d7c8d", + "value": "DUSTPAN" + }, + { + "description": "[DUSTTRAP](https://app.tidalcyber.com/software/ed72d5bb-2cf7-51a4-9d76-97fbd11c54d0) is a multi-stage plugin framework associated with [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) operations with multiple components.[[Google Cloud APT41 2024](https://app.tidalcyber.com/references/33bb9f8a-db9d-5dda-b4ae-2ba7fee0a0ae)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1159", + "source": "MITRE", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + } + ], + "uuid": "ed72d5bb-2cf7-51a4-9d76-97fbd11c54d0", + "value": "DUSTTRAP" + }, { "description": "[DustySky](https://app.tidalcyber.com/software/77506f02-104f-4aac-a4e0-9649bd7efe2e) is multi-stage malware written in .NET that has been used by [Molerats](https://app.tidalcyber.com/groups/679b7b6b-9659-4e56-9ffd-688a6fab01b6) since May 2015. [[DustySky](https://app.tidalcyber.com/references/b9e0770d-f54a-4ada-abd1-65c45eee00fa)] [[DustySky2](https://app.tidalcyber.com/references/4a3ecdec-254c-4eb4-9126-f540bb21dffe)][[Kaspersky MoleRATs April 2019](https://app.tidalcyber.com/references/38216a34-5ffd-4e79-80b1-7270743b728e)]", "meta": { @@ -7152,11 +7532,11 @@ }, "related": [ { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" } ], @@ -7164,7 +7544,7 @@ "value": "Earthworm" }, { - "description": "[Ebury](https://app.tidalcyber.com/software/2375465a-e6a9-40ab-b631-a5b04cf5c689) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[[ESET Ebury Feb 2014](https://app.tidalcyber.com/references/eb6d4f77-ac63-4cb8-8487-20f9e709334b)][[BleepingComputer Ebury March 2017](https://app.tidalcyber.com/references/e5d69297-b0f3-4586-9eb7-d2922b3ee7bb)][[ESET Ebury Oct 2017](https://app.tidalcyber.com/references/5257a8ed-1cc8-42f8-86a7-8c0fd0e553a7)]", + "description": "[Ebury](https://app.tidalcyber.com/software/2375465a-e6a9-40ab-b631-a5b04cf5c689) is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by [Windigo](https://app.tidalcyber.com/groups/eeb69751-8c22-4a5f-8da2-239cc7d7746c). [Ebury](https://app.tidalcyber.com/software/2375465a-e6a9-40ab-b631-a5b04cf5c689) is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, [Ebury](https://app.tidalcyber.com/software/2375465a-e6a9-40ab-b631-a5b04cf5c689) has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[[ESET Ebury Feb 2014](https://app.tidalcyber.com/references/eb6d4f77-ac63-4cb8-8487-20f9e709334b)][[BleepingComputer Ebury March 2017](https://app.tidalcyber.com/references/e5d69297-b0f3-4586-9eb7-d2922b3ee7bb)][[ESET Ebury Oct 2017](https://app.tidalcyber.com/references/5257a8ed-1cc8-42f8-86a7-8c0fd0e553a7)][[ESET Ebury May 2024](https://app.tidalcyber.com/references/7df9b7ed-ecac-5432-9fc2-8961fc315415)]", "meta": { "platforms": [ "Linux" @@ -7291,6 +7671,28 @@ "uuid": "fbd2d7b0-0aa8-459f-8bfa-16daae769282", "value": "EDRSandBlast" }, + { + "description": "EDRSilencer is an open-source tool designed to disrupt the functionality of endpoint detection and response (EDR) solutions by leveraging the Windows Filtering Platform (WFP), a Microsoft Windows framework specifically created to facilitate security solution operations.[[Trend Micro October 15 2024](/references/7c49c1fd-0a02-457d-97d2-13e72f489f1f)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3405", + "source": "Tidal Cyber", + "tags": [ + "3eb94192-3889-4cde-8c5f-460afa2fccce", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb" + ], + "type": [ + "tool" + ] + }, + "related": [], + "uuid": "9c62329b-d02e-457a-9add-4df749eb7f54", + "value": "EDRSilencer" + }, { "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", "meta": { @@ -7373,7 +7775,8 @@ "software_attack_id": "S3145", "source": "Tidal Cyber", "tags": [ - "a2e000da-8181-4327-bacd-32013dbd3654", + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "5e7433ad-a894-4489-93bc-41e90da90019", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -7438,6 +7841,35 @@ "uuid": "6a3ca97e-6dd6-44e5-a5f0-7225099ab474", "value": "ELMER" }, + { + "description": "Embargo is a ransomware strain written in Rust, which Microsoft researchers described as leveraging \"advanced encryption methods\". The Storm-0501 group was observed deploying Embargo during a compromise of a U.S. victim's hybrid on-premise/cloud environment in Q3 2024.[[Microsoft Security Blog September 26 2024](/references/bf05138b-f690-4b0f-ba10-9af71f7d9bfc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3389", + "source": "Tidal Cyber", + "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + } + ], + "uuid": "2470a398-4507-4e82-bcc4-1a70ee6efb4c", + "value": "Embargo Ransomware" + }, { "description": "[Emissary](https://app.tidalcyber.com/software/fd95d38d-83f9-4b31-8292-ba2b04275b36) is a Trojan that has been used by [Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52). It shares code with [Elise](https://app.tidalcyber.com/software/fd5efee9-8710-4536-861f-c88d882f4d24), with both Trojans being part of a malware group referred to as LStudio. [[Lotus Blossom Dec 2015](https://app.tidalcyber.com/references/dcbe51a0-6d63-4401-b19e-46cd3c42204c)]", "meta": { @@ -7460,7 +7892,7 @@ "value": "Emissary" }, { - "description": "[Emotet](https://app.tidalcyber.com/software/c987d255-a351-4736-913f-91e2f28d0654) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) and [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [[Trend Micro Banking Malware Jan 2019](https://app.tidalcyber.com/references/4fee21e3-1b8f-4e10-b077-b59e2df94633)]", + "description": "[Emotet](https://app.tidalcyber.com/software/c987d255-a351-4736-913f-91e2f28d0654) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) and [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433). Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.[[Trend Micro Banking Malware Jan 2019](https://app.tidalcyber.com/references/4fee21e3-1b8f-4e10-b077-b59e2df94633)]", "meta": { "platforms": [ "Windows" @@ -7517,15 +7949,7 @@ }, "related": [ { - "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", - "type": "used-by" - }, - { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", - "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { @@ -7533,23 +7957,7 @@ "type": "used-by" }, { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", - "type": "used-by" - }, - { - "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", - "type": "used-by" - }, - { - "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", - "type": "used-by" - }, - { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", - "type": "used-by" - }, - { - "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { @@ -7557,17 +7965,41 @@ "type": "used-by" }, { - "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "type": "used-by" + }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, + { + "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", + "type": "used-by" + }, + { + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "type": "used-by" + }, { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, + { + "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", + "type": "used-by" + }, + { + "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", + "type": "used-by" + }, + { + "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "type": "used-by" + }, { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" @@ -7576,17 +8008,25 @@ "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { - "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "type": "used-by" + }, + { + "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", + "type": "used-by" } ], "uuid": "fea655ac-558f-4dd0-867f-9a5553626207", @@ -7660,11 +8100,15 @@ }, "related": [ { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" } ], @@ -7719,6 +8163,13 @@ "software_attack_id": "S3103", "source": "Tidal Cyber", "tags": [ + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "fe28cf32-a15c-44cf-892c-faa0360d6109", "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", @@ -7729,6 +8180,10 @@ ] }, "related": [ + { + "dest-uuid": "649642a4-0659-5e10-ae19-1282f73a1785", + "type": "used-by" + }, { "dest-uuid": "a13bd574-b907-4489-96ab-8d30faf7fca4", "type": "used-by" @@ -8072,6 +8527,10 @@ { "dest-uuid": "3b8a2c50-5d8e-49b4-bd50-10ae66ca6c72", "type": "used-by" + }, + { + "dest-uuid": "33a5fa48-89ee-5c0b-9c9c-e0ee69032fca", + "type": "used-by" } ], "uuid": "acbff463-ba1c-4d26-ab99-b9aa47b81c68", @@ -8258,11 +8717,11 @@ "type": "used-by" }, { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { @@ -8329,7 +8788,6 @@ "description": "[FinFisher](https://app.tidalcyber.com/software/41f54ce1-842c-428a-977f-518a5b63b4d7) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://app.tidalcyber.com/software/3e70078f-407e-4b03-b604-bdc05b372f37). [[FinFisher Citation](https://app.tidalcyber.com/references/6ef0b8d8-ba98-49ce-807d-5a85d111b027)] [[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)] [[FireEye FinSpy Sept 2017](https://app.tidalcyber.com/references/142cf7a3-2ca2-4cf3-b95a-9f4b3bc1cdce)] [[Securelist BlackOasis Oct 2017](https://app.tidalcyber.com/references/66121c37-6b66-4ab2-9f63-1adb80dcec62)] [[Microsoft FinFisher March 2018](https://app.tidalcyber.com/references/88c97a9a-ef14-4695-bde0-9de2b5f5343b)]", "meta": { "platforms": [ - "Android", "Windows" ], "software_attack_id": "S0182", @@ -8478,11 +8936,11 @@ }, "related": [ { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" } ], @@ -8510,11 +8968,11 @@ }, "related": [ { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" }, { - "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { @@ -8770,6 +9228,42 @@ "uuid": "1d5c5822-3cb4-455a-9976-f6bc17e2820d", "value": "FreeFileSync" }, + { + "description": "[FRP](https://app.tidalcyber.com/software/5d83dd11-3928-5d7e-a50c-5c06594a5229), which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. [FRP](https://app.tidalcyber.com/software/5d83dd11-3928-5d7e-a50c-5c06594a5229) can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[[FRP GitHub](https://app.tidalcyber.com/references/cc682467-1ad0-50d9-9d81-be84ed862df8)][[Joint Cybersecurity Advisory Volt Typhoon June 2023](https://app.tidalcyber.com/references/14872f08-e219-5c0d-a2d7-43a3ba348b4b)][[RedCanary Mockingbird May 2020](https://app.tidalcyber.com/references/596bfbb3-72e0-4d4c-a1a9-b8d54455ffd0)][[DFIR Phosphorus November 2021](https://app.tidalcyber.com/references/0156d408-a36d-5876-96fd-f0b0cf296ea2)]", + "meta": { + "platforms": [ + "macOS", + "Linux", + "Windows" + ], + "software_attack_id": "S1144", + "source": "MITRE", + "tags": [ + "be319849-fb2c-4b5f-8055-0bde562c280b", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, + { + "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", + "type": "used-by" + }, + { + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "type": "used-by" + } + ], + "uuid": "5d83dd11-3928-5d7e-a50c-5c06594a5229", + "value": "FRP" + }, { "description": "FruitFly is designed to spy on mac users [[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)].", "meta": { @@ -8806,11 +9300,11 @@ }, "related": [ { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" } ], @@ -8882,10 +9376,6 @@ ] }, "related": [ - { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", - "type": "used-by" - }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -8894,6 +9384,10 @@ "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, + { + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "type": "used-by" + }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" @@ -8906,6 +9400,30 @@ "uuid": "062deac9-8f05-44e2-b347-96b59ba166ca", "value": "ftp" }, + { + "description": "FudModule is a rootkit whose capabilities focus on obtaining kernel access and avoiding detection.[[Microsoft Security Blog August 30 2024](/references/d7ef2e80-30c0-47ce-91d4-db1690c6c689)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3388", + "source": "Tidal Cyber", + "tags": [ + "95b66dc5-2f49-4b82-8f03-c3eaa579085b", + "a98d7a43-f227-478e-81de-e7299639a355", + "1efd43ee-5752-49f2-99fe-e3441f126b00", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "ab6ebd5a-05e3-49b7-93f2-d8cb83a86c28", + "value": "FudModule" + }, { "description": "[FunnyDream](https://app.tidalcyber.com/software/d0490e1d-8287-44d3-8342-944d1203b237) is a backdoor with multiple components that was used during the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign since at least 2019, primarily for execution and exfiltration.[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]", "meta": { @@ -8977,7 +9495,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5282", + "software_attack_id": "S3387", "source": "Tidal Cyber", "tags": [ "ca440076-2a36-405a-bf4c-d4529e91b641", @@ -9118,11 +9636,7 @@ }, "related": [ { - "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", - "type": "used-by" - }, - { - "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { @@ -9134,11 +9648,11 @@ "type": "used-by" }, { - "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "type": "used-by" }, { @@ -9153,9 +9667,17 @@ "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "type": "used-by" } ], "uuid": "269ef8f5-35c8-44ba-afe4-63f4c6431427", @@ -9208,6 +9730,7 @@ "software_attack_id": "S3035", "source": "Tidal Cyber", "tags": [ + "c87e8e01-f6fb-483b-8343-68ef9440f1bf", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", @@ -9226,10 +9749,18 @@ ] }, "related": [ + { + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "type": "used-by" + }, { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -9237,10 +9768,6 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" - }, - { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", - "type": "used-by" } ], "uuid": "83713f85-8b2f-4733-9fea-e6a1494d0bbb", @@ -9385,7 +9912,33 @@ "value": "GooseEgg" }, { - "description": "Gootloader is a highly active banking Trojan-turned-loader malware that has attacked organizations in a wide range of verticals and countries. Gootloader, also referred to by its related payload, Gootkit, first emerged in 2014 but has been especially active since 2020. In the past two years alone, verticals including finance, healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, IcedID (a common ransomware precursor), & more. Cybereason indicates the financial & healthcare sectors are especially impacted.[[Cybereason Gootloader February 2023](/references/098bf58f-3868-4892-bb4d-c78ce8817a02)] Red Canary & The DFIR Report provide tool-agnostic suggested detection logic for key behaviors observed during recent Gootloader campaigns.[[Red Canary Gootloader April 2023](/references/658e3a1a-2f68-4e84-8dab-43e48766703e)][[DFIR Report Gootloader](/references/aa12dc30-ba81-46c5-b412-ca4a01e72d7f)]", + "description": "[Gootloader](https://app.tidalcyber.com/software/b18a505f-16ca-5b51-9bed-ae05b47c7706) is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), [REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd), and others. [Gootloader](https://app.tidalcyber.com/software/b18a505f-16ca-5b51-9bed-ae05b47c7706) operates on an \"Initial Access as a Service\" model and has leveraged [SEO Poisoning](https://app.tidalcyber.com/technique/68d5de9f-ca86-4bd3-bf69-524d82f7bc7a) to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.[[Sophos Gootloader](https://app.tidalcyber.com/references/63357292-0f08-4405-a45a-34b606ab7110)][[SentinelOne Gootloader June 2021](https://app.tidalcyber.com/references/8512c5fd-2ddc-5de4-bb7d-8012402efbb5)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1138", + "source": "MITRE", + "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "84615fe0-c2a5-4e07-8957-78ebc29b4635" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + } + ], + "uuid": "b18a505f-16ca-5b51-9bed-ae05b47c7706", + "value": "Gootloader" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Gootloader\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nGootloader is a highly active banking Trojan-turned-loader malware that has attacked organizations in a wide range of verticals and countries. Gootloader, also referred to by its related payload, Gootkit, first emerged in 2014 but has been especially active since 2020. In the past two years alone, verticals including finance, healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, IcedID (a common ransomware precursor), & more. Cybereason indicates the financial & healthcare sectors are especially impacted.[[Cybereason Gootloader February 2023](/references/098bf58f-3868-4892-bb4d-c78ce8817a02)] Red Canary & The DFIR Report provide tool-agnostic suggested detection logic for key behaviors observed during recent Gootloader campaigns.[[Red Canary Gootloader April 2023](/references/658e3a1a-2f68-4e84-8dab-43e48766703e)][[DFIR Report Gootloader](/references/aa12dc30-ba81-46c5-b412-ca4a01e72d7f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -9412,7 +9965,36 @@ } ], "uuid": "3eec857e-dce3-4865-a65f-3ad5a559a3e6", - "value": "Gootloader" + "value": "Gootloader (Deprecated)" + }, + { + "description": "GoToAssist is a legitimate remote access tool that adversaries like Carbon Spider (FIN7) have abused for malicious purposes including command and control and exfiltration.[[CrowdStrike Carbon Spider August 2021](/references/36f0ddb0-94af-494c-ad10-9d3f75d1d810)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Windows" + ], + "software_attack_id": "S3395", + "source": "Tidal Cyber", + "tags": [ + "857d10f8-d1d0-4f67-8bf4-d760e3471bbb", + "8bf128ad-288b-41bc-904f-093f4fdde745", + "e727eaa6-ef41-4965-b93a-8ad0c51d0236", + "e1af18e3-3224-4e4c-9d0f-533768474508" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "type": "used-by" + } + ], + "uuid": "9570d4c0-93f3-4af2-9783-f144818a0e48", + "value": "GoToAssist" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by group policy to process scripts\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\gpscript.exe\n* C:\\Windows\\SysWOW64\\gpscript.exe\n\n**Resources:**\n* [https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/](https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_gpscript.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml)\n* IOC: Scripts added in local group policy\n* IOC: Execution of Gpscript.exe after logon[[Gpscript.exe - LOLBAS Project](/references/619f57d9-d93b-4e9b-aae0-6ce89d91deb6)]", @@ -9499,8 +10081,7 @@ "platforms": [ "Linux", "macOS", - "Windows", - "iOS" + "Windows" ], "software_attack_id": "S0690", "source": "MITRE", @@ -9602,6 +10183,10 @@ ] }, "related": [ + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" @@ -9626,10 +10211,6 @@ ] }, "related": [ - { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", - "type": "used-by" - }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" @@ -9639,12 +10220,16 @@ "type": "used-by" }, { - "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "type": "used-by" } ], "uuid": "5ffe662f-9da1-4b6f-ad3a-f296383e828c", @@ -10076,9 +10661,12 @@ "description": "[Hildegard](https://app.tidalcyber.com/software/7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://app.tidalcyber.com/software/7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c). [[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]", "meta": { "platforms": [ - "Containers", + "IaaS", "Linux", - "IaaS" + "GCP", + "AWS", + "Azure", + "Containers" ], "software_attack_id": "S0601", "source": "MITRE", @@ -10126,6 +10714,39 @@ "uuid": "d4f74243-0d2d-4095-b66a-6d8291019125", "value": "HIUPAN" }, + { + "description": "Hive is a ransomware-as-a-service (RaaS) variant first observed in June 2021.[[U.S. CISA Hive November 25 2022](/references/fce322e6-5e23-404a-acf8-cd003f00c79d)] Actors deploying Hive targeted victims in a wide range of verticals. In January 2023, international authorities announced they disrupted Hive ransomware operations, seizing control of servers and websites used for communication among Hive actors and capturing Hive decryption keys.[[U.S. Justice Department Hive January 2023](/references/81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S3390", + "source": "Tidal Cyber", + "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + }, + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + } + ], + "uuid": "ee3315ab-68ab-4e22-9ebe-f0e57ee6db39", + "value": "Hive Ransomware" + }, { "description": "[Hi-Zor](https://app.tidalcyber.com/software/286184d9-f28a-4d5a-a9dd-2216b3c47809) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://app.tidalcyber.com/software/a316c704-144a-4d14-8e4e-685bb6ae391c). It was used in a campaign named INOCNATION. [[Fidelis Hi-Zor](https://app.tidalcyber.com/references/0c9ff201-283a-4527-8cb8-6f0d05a4f724)]", "meta": { @@ -10255,11 +10876,11 @@ }, "related": [ { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" }, { - "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" } ], @@ -10301,17 +10922,43 @@ }, "related": [ { - "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" } ], "uuid": "2df88e4e-5a89-5535-ae1a-4c68b19d9078", "value": "HUI Loader" }, + { + "description": "Hunters International is a ransomware operation observed in 2023 that leverages an encryptor which is believed to be heavily based on Hive ransomware code.[[Bitdefender Hunters International November 9 2023](/references/ae0a88d6-bd46-4b22-bfb1-25003bfe83d7)] (In January 2023, international authorities announced they disrupted Hive ransomware operations, seizing control of servers and websites used for communication among Hive actors and capturing Hive decryption keys.[[U.S. Justice Department Hive January 2023](/references/81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0)])\n\n*In the absence of many technical details related to the Hunters International encryptor variant specifically, this object relfects core Techniques associated with Hive ransomware (which are themselves common among many modern ransomware strains).*", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S3391", + "source": "Tidal Cyber", + "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "f90c6a11-2f2a-4ec1-996b-7a62e425d1d4", + "value": "Hunters International Ransomware" + }, { "description": "[Hydraq](https://app.tidalcyber.com/software/4ffbca79-358a-4ba5-bfbb-dc1694c45646) is a data-theft trojan first used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://app.tidalcyber.com/groups/5f083251-f5dc-459a-abfc-47a1aa7f5094).[[MicroFocus 9002 Aug 2016](https://app.tidalcyber.com/references/a4d6bdd1-e70c-491b-a569-72708095c809)][[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)][[Symantec Trojan.Hydraq Jan 2010](https://app.tidalcyber.com/references/10bed842-400f-4276-972d-5fca794ea778)][[ASERT Seven Pointed Dagger Aug 2015](https://app.tidalcyber.com/references/a8f323c7-82bc-46e6-bd6c-0b631abc644a)][[FireEye DeputyDog 9002 November 2013](https://app.tidalcyber.com/references/68b5a913-b696-4ca5-89ed-63453023d2a2)][[ProofPoint GoT 9002 Aug 2017](https://app.tidalcyber.com/references/b796f889-400c-440b-86b2-1588fd15f3ae)][[FireEye Sunshop Campaign May 2013](https://app.tidalcyber.com/references/ec246c7a-3396-46f9-acc4-a100cb5e5fe6)][[PaloAlto 3102 Sept 2015](https://app.tidalcyber.com/references/db340043-43a7-4b16-a570-92a0d879b2bf)]", "meta": { @@ -10326,7 +10973,7 @@ }, "related": [ { - "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", + "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { @@ -10334,7 +10981,7 @@ "type": "used-by" }, { - "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", + "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" } ], @@ -10421,11 +11068,19 @@ }, "related": [ { - "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", + "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" }, { - "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", + "dest-uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "type": "used-by" + }, + { + "dest-uuid": "b47551ba-8036-5527-abba-fed787c854a5", + "type": "used-by" + }, + { + "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" }, { @@ -10623,7 +11278,31 @@ "value": "Ilasm" }, { - "description": "IMAPLoader is a .NET downloader that uses email-based channels for command and control communication. It is believed to be developed and used by Yellow Liderc a threat actor group based in Iran and aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). IMAPLoader is delivered via drive-by compromises and phishing attacks.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]", + "description": "[IMAPLoader](https://app.tidalcyber.com/software/0e5c0f19-db3d-5061-a0b9-3b55e4f3f50b) is a .NET-based loader malware exclusively associated with [CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) operations since at least 2022. [IMAPLoader](https://app.tidalcyber.com/software/0e5c0f19-db3d-5061-a0b9-3b55e4f3f50b) leverages email protocols for command and control and payload delivery.[[PWC Yellow Liderc 2023](https://app.tidalcyber.com/references/e473a371-2f34-5391-8888-42082b0a1904)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1152", + "source": "MITRE", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "ab15a328-c41e-5701-993f-3cab29ac4544", + "type": "used-by" + } + ], + "uuid": "0e5c0f19-db3d-5061-a0b9-3b55e4f3f50b", + "value": "IMAPLoader" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"IMAPLoader\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nIMAPLoader is a .NET downloader that uses email-based channels for command and control communication. It is believed to be developed and used by Yellow Liderc a threat actor group based in Iran and aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). IMAPLoader is delivered via drive-by compromises and phishing attacks.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -10647,7 +11326,7 @@ } ], "uuid": "0832ffda-240a-4455-a53b-71b2683bea09", - "value": "IMAPLoader" + "value": "IMAPLoader (Deprecated)" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft IME Open Extended Dictionary Module\n\n**Author:** Wade Hickey\n\n**Paths:**\n* C:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.exe\n\n**Resources:**\n* [https://twitter.com/notwhickey/status/1367493406835040265](https://twitter.com/notwhickey/status/1367493406835040265)\n\n**Detection:**\n* Sigma: [net_connection_win_imewdbld.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml)[[IMEWDBLD.exe - LOLBAS Project](/references/9d1d6bc1-61cf-4465-b3cb-b6af36769027)]", @@ -10688,11 +11367,11 @@ }, "related": [ { - "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", + "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { - "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", + "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", "type": "used-by" } ], @@ -10733,40 +11412,12 @@ ] }, "related": [ - { - "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", - "type": "used-by" - }, - { - "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { - "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", "type": "used-by" }, { @@ -10777,10 +11428,6 @@ "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" }, - { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", - "type": "used-by" - }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" @@ -10789,24 +11436,60 @@ "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { - "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "type": "used-by" + }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, + { + "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { @@ -10817,6 +11500,14 @@ "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" }, + { + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" @@ -10826,7 +11517,36 @@ "value": "Impacket" }, { - "description": "INC is a ransomware operation that emerged in July 2023. Operators of INC ransomware typically publicly extort their victims.[[SentinelOne September 21 2023](/references/7e793738-c132-47bf-90aa-1f0659564d16)]", + "description": "[INC Ransomware](https://app.tidalcyber.com/software/814df4bb-4f5a-5097-af8b-85622a4803ba) is a ransomware strain that has been used by the [INC Ransom](https://app.tidalcyber.com/groups/8957f42d-a069-542b-bce6-3059a2fa0f2e) group since at least 2023 against multiple industry sectors worldwide. [INC Ransomware](https://app.tidalcyber.com/software/814df4bb-4f5a-5097-af8b-85622a4803ba) can employ partial encryption combined with multi-threading to speed encryption.[[SentinelOne INC Ransomware](https://app.tidalcyber.com/references/5f82878b-2258-5663-8694-efc3179c1849)][[Huntress INC Ransom Group August 2023](https://app.tidalcyber.com/references/d315547d-26e3-5130-a794-658eecf1e0df)][[Secureworks GOLD IONIC April 2024](https://app.tidalcyber.com/references/e723e7b3-496f-5ab4-abaf-83859e7e912d)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1139", + "source": "MITRE", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + } + ], + "uuid": "814df4bb-4f5a-5097-af8b-85622a4803ba", + "value": "INC Ransomware" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"INC Ransomware\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nINC is a ransomware operation that emerged in July 2023. Operators of INC ransomware typically publicly extort their victims.[[SentinelOne September 21 2023](/references/7e793738-c132-47bf-90aa-1f0659564d16)]", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -10849,10 +11569,14 @@ { "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", "type": "used-by" + }, + { + "dest-uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "type": "used-by" } ], "uuid": "41b71db3-9779-445e-a0b5-7cd7174a7026", - "value": "INC Ransomware" + "value": "INC Ransomware (Deprecated)" }, { "description": "[Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)] [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) was used in the attacks on the Ukrainian power grid in December 2016.[[Dragos Crashoverride 2017](https://app.tidalcyber.com/references/c8f624e3-2ba2-4564-bd1c-f06b9a6a8bce)] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]", @@ -11061,11 +11785,15 @@ }, "related": [ { - "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, + { + "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" } ], @@ -11093,27 +11821,7 @@ }, "related": [ { - "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", - "type": "used-by" - }, - { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", - "type": "used-by" - }, - { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", - "type": "used-by" - }, - { - "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", - "type": "used-by" - }, - { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", - "type": "used-by" - }, - { - "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { @@ -11124,6 +11832,10 @@ "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, + { + "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -11136,16 +11848,40 @@ "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, + { + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "type": "used-by" + }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { - "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", + "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "type": "used-by" + }, + { + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, + { + "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { @@ -11155,19 +11891,35 @@ { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", - "type": "used-by" } ], "uuid": "4f519002-0576-4f8e-8add-73ebac9a86e6", "value": "ipconfig" }, + { + "description": "[IPsec Helper](https://app.tidalcyber.com/software/e6fa005e-4690-5336-8a03-5f667ea38f3f) is a post-exploitation remote access tool linked to [Agrius](https://app.tidalcyber.com/groups/36c70cf2-c7d5-5926-8155-5d3a63e3e55a) operations. This malware shares significant programming and functional overlaps with [Apostle](https://app.tidalcyber.com/software/f525a28f-2500-585c-a1c7-063ecec8376e) ransomware, also linked to [Agrius](https://app.tidalcyber.com/groups/36c70cf2-c7d5-5926-8155-5d3a63e3e55a). [IPsec Helper](https://app.tidalcyber.com/software/e6fa005e-4690-5336-8a03-5f667ea38f3f) provides basic remote access tool functionality such as uploading files from victim systems, running commands, and deploying additional payloads.[[SentinelOne Agrius 2021](https://app.tidalcyber.com/references/b5b433a1-5d12-5644-894b-c42d995c9ba5)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1132", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "type": "used-by" + } + ], + "uuid": "e6fa005e-4690-5336-8a03-5f667ea38f3f", + "value": "IPsec Helper" + }, { "description": "[IronNetInjector](https://app.tidalcyber.com/software/9ca96281-8ff9-4619-a79d-16c5a9594eae) is a [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://app.tidalcyber.com/software/300c5997-a486-4a61-8213-93a180c22849).[[Unit 42 IronNetInjector February 2021 ](https://app.tidalcyber.com/references/f04c89f7-d951-4ebc-a5e4-2cc69476c43f)]", "meta": { @@ -11366,7 +12118,6 @@ "platforms": [ "macOS", "Linux", - "Android", "Windows" ], "software_attack_id": "S0283", @@ -11709,11 +12460,11 @@ }, "related": [ { - "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { - "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" } ], @@ -11775,10 +12526,6 @@ ] }, "related": [ - { - "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", - "type": "used-by" - }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" @@ -11790,6 +12537,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", + "type": "used-by" } ], "uuid": "5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd", @@ -11935,6 +12686,34 @@ "uuid": "35ac4018-8506-4025-a9e3-bd017700b3b3", "value": "Kwampirs" }, + { + "description": "[Latrodectus](https://app.tidalcyber.com/software/413585a2-00d1-532d-953a-bc5c86f4767f) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://app.tidalcyber.com/software/413585a2-00d1-532d-953a-bc5c86f4767f) has most often been distributed through email campaigns, primarily by [TA577](https://app.tidalcyber.com/groups/e1e72810-4661-54c7-b05e-859128fb327d) and [TA578](https://app.tidalcyber.com/groups/b47551ba-8036-5527-abba-fed787c854a5), and has infrastructure overlaps with historic [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433) operations.[[Latrodectus APR 2024](https://app.tidalcyber.com/references/23f46e51-cfb9-516f-88a6-824893293deb)][[Bleeping Computer Latrodectus April 2024](https://app.tidalcyber.com/references/b138b07e-d68b-5f68-ba74-ddd7bb654fa6)][[Bitsight Latrodectus June 2024](https://app.tidalcyber.com/references/9a942e75-3541-5b8d-acde-8f2a3447184a)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1160", + "source": "MITRE", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "type": "used-by" + }, + { + "dest-uuid": "b47551ba-8036-5527-abba-fed787c854a5", + "type": "used-by" + } + ], + "uuid": "413585a2-00d1-532d-953a-bc5c86f4767f", + "value": "Latrodectus" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet\n\n**Author:** Nasreddine Bencherchali\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\Tools\\Launch-VsDevShell.ps1\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\Launch-VsDevShell.ps1\n\n**Resources:**\n* [https://twitter.com/nas_bench/status/1535981653239255040](https://twitter.com/nas_bench/status/1535981653239255040)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_launch_vsdevshell.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml)[[Launch-VsDevShell.ps1 - LOLBAS Project](/references/6e81ff6a-a386-495e-bd4b-cf698b02bce8)]", "meta": { @@ -11990,11 +12769,7 @@ }, "related": [ { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", - "type": "used-by" - }, - { - "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", + "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { @@ -12002,23 +12777,15 @@ "type": "used-by" }, { - "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { - "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", - "type": "used-by" - }, - { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", - "type": "used-by" - }, - { - "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { @@ -12033,33 +12800,45 @@ "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" }, - { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { - "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", - "type": "used-by" - }, - { - "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" }, + { + "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", + "type": "used-by" + }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", + "type": "used-by" + }, + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" + }, + { + "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", + "type": "used-by" } ], "uuid": "f5558af4-e3e2-47c2-b8fe-72850bd30f37", @@ -12090,11 +12869,11 @@ }, "related": [ { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" } ], @@ -12152,6 +12931,10 @@ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" + }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" } ], "uuid": "bce485ad-7d4f-45b6-b3c1-218f2f757611", @@ -12230,10 +13013,6 @@ "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, - { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", - "type": "used-by" - }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -12241,6 +13020,10 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" + }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" } ], "uuid": "3113cb05-23b4-4f90-ab7a-623b800302ce", @@ -12462,6 +13245,10 @@ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" + }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" } ], "uuid": "08c70ea5-9d4d-4146-826e-c5ebd5490378", @@ -12524,6 +13311,7 @@ "software_attack_id": "S3098", "source": "Tidal Cyber", "tags": [ + "c589aae8-7452-42a9-a9ae-5638a5ab4a12", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -12660,7 +13448,7 @@ "software_attack_id": "S0451", "source": "MITRE", "tags": [ - "a2e000da-8181-4327-bacd-32013dbd3654" + "c545270e-a6d4-4d89-af6e-d8be7219405d" ], "type": [ "malware" @@ -12731,6 +13519,122 @@ "uuid": "723d9a27-74fd-4333-a8db-63df2a8b4dd4", "value": "Lucifer" }, + { + "description": "Lumar is an information stealer written in C that was first advertised for sale in underground forums in July 2023.[[Kaspersky October 24 2023](/references/0f9fca8c-4ab8-41e8-b034-3a1f41f5cb0d)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3400", + "source": "Tidal Cyber", + "tags": [ + "4d767e87-4cf6-438a-927a-43d2d0beaab7", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "5a1c6cd5-a6f2-4545-8b33-97f97b5fa34f", + "value": "Lumar Stealer" + }, + { + "description": "Lumma Stealer (aka LummaC2) is an infostealer malware written in C, which actors have marketed on underground forums since December 2022.[[Outpost24 April 5 2023](/references/60bd2e39-744c-44e7-b417-0ef0a768f7b6)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3399", + "source": "Tidal Cyber", + "tags": [ + "4d767e87-4cf6-438a-927a-43d2d0beaab7", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "4d4836fb-99c9-47fe-9cf9-26dd16f15d3c", + "value": "Lumma Stealer" + }, + { + "description": "[LunarLoader](https://app.tidalcyber.com/software/e8e81e32-27b4-5830-94cb-a07ca1124296) is the loader component for the [LunarWeb](https://app.tidalcyber.com/software/6b231f41-51b7-5c78-afd5-6cb73a698045) and [LunarMail](https://app.tidalcyber.com/software/8fa2c759-a03f-5044-a125-0b66fba054de) backdoors that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2020 including against a European ministry of foreign affairs (MFA). [LunarLoader](https://app.tidalcyber.com/software/e8e81e32-27b4-5830-94cb-a07ca1124296) has been observed as a standalone and as a part of trojanized open-source software such as AdmPwd.[[ESET Turla Lunar toolset May 2024](https://app.tidalcyber.com/references/85040d41-b786-5b63-a510-976bc35e8fce)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1143", + "source": "MITRE", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + } + ], + "uuid": "e8e81e32-27b4-5830-94cb-a07ca1124296", + "value": "LunarLoader" + }, + { + "description": "[LunarMail](https://app.tidalcyber.com/software/8fa2c759-a03f-5044-a125-0b66fba054de) is a backdoor that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with [LunarLoader](https://app.tidalcyber.com/software/e8e81e32-27b4-5830-94cb-a07ca1124296) and [LunarWeb](https://app.tidalcyber.com/software/6b231f41-51b7-5c78-afd5-6cb73a698045). [LunarMail](https://app.tidalcyber.com/software/8fa2c759-a03f-5044-a125-0b66fba054de) is designed to be deployed on workstations and can use email messages and [Steganography](https://app.tidalcyber.com/technique/2735f8d1-0e46-4cd7-bfbb-78941bb266fd) in command and control.[[ESET Turla Lunar toolset May 2024](https://app.tidalcyber.com/references/85040d41-b786-5b63-a510-976bc35e8fce)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1142", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + } + ], + "uuid": "8fa2c759-a03f-5044-a125-0b66fba054de", + "value": "LunarMail" + }, + { + "description": "[LunarWeb](https://app.tidalcyber.com/software/6b231f41-51b7-5c78-afd5-6cb73a698045) is a backdoor that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with [LunarLoader](https://app.tidalcyber.com/software/e8e81e32-27b4-5830-94cb-a07ca1124296) and [LunarMail](https://app.tidalcyber.com/software/8fa2c759-a03f-5044-a125-0b66fba054de). [LunarWeb](https://app.tidalcyber.com/software/6b231f41-51b7-5c78-afd5-6cb73a698045) has only been observed deployed against servers and can use [Steganography](https://app.tidalcyber.com/technique/2735f8d1-0e46-4cd7-bfbb-78941bb266fd) to obfuscate command and control.[[ESET Turla Lunar toolset May 2024](https://app.tidalcyber.com/references/85040d41-b786-5b63-a510-976bc35e8fce)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1141", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + } + ], + "uuid": "6b231f41-51b7-5c78-afd5-6cb73a698045", + "value": "LunarWeb" + }, { "description": "[Lurid](https://app.tidalcyber.com/software/0cc9e24b-d458-4782-a332-4e4fd68c057b) is a malware family that has been used by several groups, including [PittyTiger](https://app.tidalcyber.com/groups/60936d3c-37ed-4116-a407-868da3aa4446), in targeted attacks as far back as 2006. [[Villeneuve 2014](https://app.tidalcyber.com/references/a156e24e-0da5-4ac7-b914-29f2f05e7d6f)] [[Villeneuve 2011](https://app.tidalcyber.com/references/ed5a2ec0-8328-40db-9f58-7eaac4ad39a0)]", "meta": { @@ -12797,7 +13701,7 @@ "value": "Machete" }, { - "description": "[MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) has been observed in the wild since November 2021.[[ESET DazzleSpy Jan 2022](https://app.tidalcyber.com/references/212012ac-9084-490f-8dd2-5cc9ac6e6de1)]", + "description": "[MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) has been observed in the wild since November 2021.[[ESET DazzleSpy Jan 2022](https://app.tidalcyber.com/references/212012ac-9084-490f-8dd2-5cc9ac6e6de1)] [MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) shares command and control and unique libraries with [MgBot](https://app.tidalcyber.com/software/df390ec3-6557-524d-8a89-3fceff24ca96) and [Nightdoor](https://app.tidalcyber.com/software/858084e7-41ba-53f8-b530-0286bf4ea764), indicating a relationship with the [Daggerfly](https://app.tidalcyber.com/groups/f0dab388-1641-50aa-b0b2-6bdb816e0490) threat actor.[[Symantec Daggerfly 2024](https://app.tidalcyber.com/references/1dadd09e-e7b0-50a1-ba3d-413780dbeb80)]", "meta": { "platforms": [ "macOS" @@ -12808,7 +13712,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f0dab388-1641-50aa-b0b2-6bdb816e0490", + "type": "used-by" + } + ], "uuid": "7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb", "value": "MacMa" }, @@ -12870,8 +13779,9 @@ "meta": { "platforms": [ "Office 365", - "Windows", - "Azure AD" + "Google Workspace", + "Office Suite", + "Windows" ], "software_attack_id": "S0413", "source": "MITRE", @@ -12977,6 +13887,27 @@ "uuid": "9702e486-e5b9-486f-84f3-289c599d3d72", "value": "Mango" }, + { + "description": "[Manjusaka](https://app.tidalcyber.com/software/1821edd4-7554-5de8-8a22-9f4d49a4917d) is a Chinese-language intrusion framework, similar to [Sliver](https://app.tidalcyber.com/software/bbd16b7b-7e35-4a11-86ff-9b19e17bdab3) and [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), with an ELF binary written in GoLang as the controller for Windows and Linux implants written in Rust. First identified in 2022, [Manjusaka](https://app.tidalcyber.com/software/1821edd4-7554-5de8-8a22-9f4d49a4917d) consists of multiple components, only one of which (a command and control module) is freely available.[[Talos Manjusaka 2022](https://app.tidalcyber.com/references/5dd749c8-deff-5813-a7d4-80760bb5e999)]", + "meta": { + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S1156", + "source": "MITRE", + "tags": [ + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "1821edd4-7554-5de8-8a22-9f4d49a4917d", + "value": "Manjusaka" + }, { "description": "[MarkiRAT](https://app.tidalcyber.com/software/40806539-1496-4a64-b740-66f6a1467f40) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://app.tidalcyber.com/groups/275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb) since at least 2015.[[Kaspersky Ferocious Kitten Jun 2021](https://app.tidalcyber.com/references/b8f8020d-3f5c-4b5e-8761-6ecdd63fcd50)]", "meta": { @@ -13087,6 +14018,7 @@ "software_attack_id": "S0449", "source": "MITRE", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", "5b4ce6cb-0929-4f74-a3b2-bd1afa916d36", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad", @@ -13095,7 +14027,6 @@ "c5c8f954-1bc0-45d5-9a4f-4385d0a720a1", "ab64f2d8-8da3-48de-ac66-0fd91d634b22", "5e7433ad-a894-4489-93bc-41e90da90019", - "a2e000da-8181-4327-bacd-32013dbd3654", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ @@ -13104,11 +14035,11 @@ }, "related": [ { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" } ], @@ -13212,6 +14143,28 @@ "uuid": "c9e824b2-554b-4f42-b4c3-48e0a841f589", "value": "MedusaLocker Ransomware" }, + { + "description": "Meduza is an information stealer written in C++ that was first identified on Russian-speaking hacking forums in June 2023. Security researchers assess that Meduza may be developed by the same actors that developed Aurora, another prominent infostealer family.[[Meduza Stealer RussianPanda June 28 2023](/references/f7d3cc96-4c0f-4a87-8a79-abd3f0f84533)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3401", + "source": "Tidal Cyber", + "tags": [ + "4d767e87-4cf6-438a-927a-43d2d0beaab7", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "acc64744-7188-48b2-a753-196fff0467c6", + "value": "Meduza" + }, { "description": "[meek](https://app.tidalcyber.com/software/6c3bbcae-3217-43c7-b709-5c54bc7636b1) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.", "meta": { @@ -13302,6 +14255,7 @@ "software_attack_id": "S3021", "source": "Tidal Cyber", "tags": [ + "9db5e7e2-74da-46a7-9bf4-e4cfb66106c9", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -13323,22 +14277,10 @@ ] }, "related": [ - { - "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", - "type": "used-by" - }, - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, - { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", - "type": "used-by" - }, { "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", "type": "used-by" @@ -13355,6 +14297,18 @@ "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -13543,6 +14497,30 @@ "uuid": "4184f447-6f74-487b-be08-6330a6b78992", "value": "Mftrace" }, + { + "description": "[MgBot](https://app.tidalcyber.com/software/df390ec3-6557-524d-8a89-3fceff24ca96) is a modular malware framework exclusively associated with [Daggerfly](https://app.tidalcyber.com/groups/f0dab388-1641-50aa-b0b2-6bdb816e0490) operations since at least 2012. [MgBot](https://app.tidalcyber.com/software/df390ec3-6557-524d-8a89-3fceff24ca96) was developed in C++ and features a module design with multiple available plugins that have been under active development through 2024.[[Szappanos MgBot 2014](https://app.tidalcyber.com/references/d2742561-6d0a-54d6-9c6d-1e2cd789dcc4)][[ESET EvasivePanda 2023](https://app.tidalcyber.com/references/08026c7e-cc35-5d51-9536-a02febd1a891)][[Symantec Daggerfly 2024](https://app.tidalcyber.com/references/1dadd09e-e7b0-50a1-ba3d-413780dbeb80)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1146", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "f0dab388-1641-50aa-b0b2-6bdb816e0490", + "type": "used-by" + } + ], + "uuid": "df390ec3-6557-524d-8a89-3fceff24ca96", + "value": "MgBot" + }, { "description": "[Micropsia](https://app.tidalcyber.com/software/5879efc1-f122-43ec-a80d-e25aa449594d) is a remote access tool written in Delphi.[[Talos Micropsia June 2017](https://app.tidalcyber.com/references/c727152c-079a-4ff9-a0e5-face919cf59b)][[Radware Micropsia July 2018](https://app.tidalcyber.com/references/8771ed60-eecb-4e0c-b22c-0c26d30d4dec)]", "meta": { @@ -13672,55 +14650,67 @@ }, "related": [ { - "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, + { + "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", + "type": "used-by" + }, + { + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "type": "used-by" + }, + { + "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", + "type": "used-by" + }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" }, { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, - { - "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", - "type": "used-by" - }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "type": "used-by" }, { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", - "type": "used-by" - }, - { - "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", - "type": "used-by" - }, - { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", - "type": "used-by" - }, - { - "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", - "type": "used-by" - }, - { - "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { @@ -13731,80 +14721,16 @@ "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, - { - "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", - "type": "used-by" - }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, - { - "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", - "type": "used-by" - }, - { - "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", - "type": "used-by" - }, - { - "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", - "type": "used-by" - }, - { - "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", - "type": "used-by" - }, - { - "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", - "type": "used-by" - }, - { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, - { - "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", - "type": "used-by" - }, - { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", - "type": "used-by" - }, - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", - "type": "used-by" - }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", - "type": "used-by" - }, - { - "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", - "type": "used-by" - }, - { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, - { - "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", + "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" }, { @@ -13815,14 +14741,150 @@ "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, + { + "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", + "type": "used-by" + }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", + "type": "used-by" + }, + { + "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", + "type": "used-by" + }, + { + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", + "type": "used-by" + }, + { + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "type": "used-by" + }, + { + "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", + "type": "used-by" + }, + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" + }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", + "type": "used-by" + }, + { + "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", + "type": "used-by" + }, + { + "dest-uuid": "f0943620-7bbb-4239-8ed3-c541c36baaa1", + "type": "used-by" + }, + { + "dest-uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "type": "used-by" + }, + { + "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", + "type": "used-by" + }, + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + }, + { + "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", + "type": "used-by" + }, + { + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, + { + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "type": "used-by" + }, + { + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", + "type": "used-by" + }, + { + "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", + "type": "used-by" + }, + { + "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", + "type": "used-by" + }, + { + "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", + "type": "used-by" + }, + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, + { + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "type": "used-by" + }, + { + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "type": "used-by" + }, + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" + }, + { + "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", + "type": "used-by" + }, + { + "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "type": "used-by" + }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" @@ -13831,10 +14893,6 @@ "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" @@ -13846,78 +14904,6 @@ { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" - }, - { - "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", - "type": "used-by" - }, - { - "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", - "type": "used-by" - }, - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, - { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", - "type": "used-by" - }, - { - "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", - "type": "used-by" - }, - { - "dest-uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", - "type": "used-by" - }, - { - "dest-uuid": "f0943620-7bbb-4239-8ed3-c541c36baaa1", - "type": "used-by" - }, - { - "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", - "type": "used-by" - }, - { - "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", - "type": "used-by" - }, - { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", - "type": "used-by" - }, - { - "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", - "type": "used-by" - }, - { - "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", - "type": "used-by" - }, - { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", - "type": "used-by" - }, - { - "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", - "type": "used-by" - }, - { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", - "type": "used-by" - }, - { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", - "type": "used-by" - }, - { - "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", - "type": "used-by" } ], "uuid": "b8e7c0b4-49e4-4e8d-9467-b17f305ddf16", @@ -14176,6 +15162,30 @@ "uuid": "7ca5debb-f813-4e06-98f8-d1186552e5d2", "value": "MoleNet" }, + { + "description": "[Moneybird](https://app.tidalcyber.com/software/9bffdaff-a9dc-59fa-9899-9d987fa190dd) is a ransomware variant written in C++ associated with [Agrius](https://app.tidalcyber.com/groups/36c70cf2-c7d5-5926-8155-5d3a63e3e55a) operations. The name \"Moneybird\" is contained in the malware's ransom note and as strings in the executable.[[CheckPoint Agrius 2023](https://app.tidalcyber.com/references/b3034b5d-1fe5-5677-a2e8-9329141875d4)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1137", + "source": "MITRE", + "tags": [ + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "type": "used-by" + } + ], + "uuid": "9bffdaff-a9dc-59fa-9899-9d987fa190dd", + "value": "Moneybird" + }, { "description": "[Mongall](https://app.tidalcyber.com/software/7f5355b3-e819-4c82-a0fa-b80fda8fd6e6) is a backdoor that has been used since at least 2013, including by [Aoqin Dragon](https://app.tidalcyber.com/groups/454402a3-0503-45bf-b2e0-177fa2e2d412).[[SentinelOne Aoqin Dragon June 2022](https://app.tidalcyber.com/references/b4e792e0-b1fa-4639-98b1-233aaec53594)]", "meta": { @@ -14439,6 +15449,10 @@ "software_attack_id": "S3249", "source": "Tidal Cyber", "tags": [ + "51006447-540b-4b9d-bdba-1cbff8038ae9", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "15787198-6c8b-4f79-bf50-258d55072fee", "5bd3af6b-cb96-4d96-9576-26521dd76513", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" @@ -14716,6 +15730,30 @@ "uuid": "8cccbfed-3f78-45fd-b5d1-efe884d28f09", "value": "msxsl" }, + { + "description": "[MultiLayer Wiper](https://app.tidalcyber.com/software/b5f46c32-b316-5d9c-8dc1-a53df5487493) is wiper malware written in .NET associated with [Agrius](https://app.tidalcyber.com/groups/36c70cf2-c7d5-5926-8155-5d3a63e3e55a) operations. Observed samples of [MultiLayer Wiper](https://app.tidalcyber.com/software/b5f46c32-b316-5d9c-8dc1-a53df5487493) have an anomalous, future compilation date suggesting possible metadata manipulation.[[Unit42 Agrius 2023](https://app.tidalcyber.com/references/70fb43bd-f8e1-56a5-a0e9-884e85f16b10)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1135", + "source": "MITRE", + "tags": [ + "2e621fc5-dea4-4cb9-987e-305845986cd3" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "type": "used-by" + } + ], + "uuid": "b5f46c32-b316-5d9c-8dc1-a53df5487493", + "value": "MultiLayer Wiper" + }, { "description": "[MURKYTOP](https://app.tidalcyber.com/software/768111f9-0948-474b-82a6-cd5455079513) is a reconnaissance tool used by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871). [[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]", "meta": { @@ -14822,7 +15860,7 @@ }, "related": [ { - "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", + "dest-uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", "type": "used-by" }, { @@ -14830,7 +15868,7 @@ "type": "used-by" }, { - "dest-uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", + "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" }, { @@ -14899,21 +15937,17 @@ ], "software_attack_id": "S0590", "source": "MITRE", + "tags": [ + "cd1b5d44-226e-4405-8985-800492cf2865", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" + ], "type": [ "tool" ] }, "related": [ { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", - "type": "used-by" - }, - { - "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "dest-uuid": "753c7cd1-ca9f-4632-bbd2-fd55b9e70b10", "type": "used-by" }, { @@ -14921,13 +15955,21 @@ "type": "used-by" }, { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" }, + { + "dest-uuid": "36c70cf2-c7d5-5926-8155-5d3a63e3e55a", + "type": "used-by" + }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" @@ -14935,6 +15977,14 @@ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" } ], "uuid": "950f13e6-3ae3-411e-a2b2-4ba1afe6cb76", @@ -15054,12 +16104,14 @@ "software_attack_id": "S0039", "source": "MITRE", "tags": [ + "51006447-540b-4b9d-bdba-1cbff8038ae9", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", - "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "4e7ae33d-e040-4618-bccf-3b5e4aac81ed", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", @@ -15073,60 +16125,12 @@ ] }, "related": [ - { - "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", - "type": "used-by" - }, - { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", - "type": "used-by" - }, - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, - { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", - "type": "used-by" - }, - { - "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", - "type": "used-by" - }, - { - "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", - "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", - "type": "used-by" - }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", - "type": "used-by" - }, - { - "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { @@ -15141,10 +16145,6 @@ "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, - { - "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", - "type": "used-by" - }, { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" @@ -15153,22 +16153,30 @@ "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, - { - "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", - "type": "used-by" - }, - { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", - "type": "used-by" - }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, + { + "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "type": "used-by" + }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" @@ -15177,28 +16185,32 @@ "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, + { + "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", + "type": "used-by" + }, + { + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "type": "used-by" + }, + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, + { + "dest-uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "type": "used-by" + }, + { + "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, - { - "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", - "type": "used-by" - }, - { - "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", - "type": "used-by" - }, - { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", - "type": "used-by" - }, - { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { @@ -15213,16 +16225,64 @@ "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, + { + "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", + "type": "used-by" + }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + }, + { + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, + { + "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", + "type": "used-by" + }, + { + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", + "type": "used-by" + }, + { + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + }, + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, + { + "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", + "type": "used-by" + }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { - "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, + { + "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" } ], @@ -15300,13 +16360,17 @@ }, "related": [ { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -15315,26 +16379,26 @@ "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, - { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", - "type": "used-by" - }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" @@ -15365,6 +16429,14 @@ ] }, "related": [ + { + "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" @@ -15374,15 +16446,7 @@ "type": "used-by" }, { - "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", - "type": "used-by" - }, - { - "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", - "type": "used-by" - }, - { - "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { @@ -15390,11 +16454,7 @@ "type": "used-by" }, { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { @@ -15402,7 +16462,11 @@ "type": "used-by" }, { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + }, + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { @@ -15441,12 +16505,16 @@ ] }, "related": [ + { + "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "type": "used-by" + }, { "dest-uuid": "54a13c54-a1d5-46e9-b155-56d981a5ad8f", "type": "used-by" }, { - "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "dest-uuid": "ac3426c4-6d7e-4e99-9546-266fb7fd8c44", "type": "used-by" }, { @@ -15529,6 +16597,10 @@ ] }, "related": [ + { + "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", + "type": "used-by" + }, { "dest-uuid": "830079fe-9824-405b-93e0-c28592155c49", "type": "used-by" @@ -15537,10 +16609,6 @@ "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" }, - { - "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", - "type": "used-by" - }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" @@ -15627,17 +16695,13 @@ }, "related": [ { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, - { - "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", - "type": "used-by" - }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -15655,11 +16719,7 @@ "type": "used-by" }, { - "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", - "type": "used-by" - }, - { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" }, { @@ -15669,6 +16729,18 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" + }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", + "type": "used-by" + }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" } ], "uuid": "316ecd9d-ac0b-58c7-8083-5d9214c770f6", @@ -15743,6 +16815,30 @@ "uuid": "b1963876-dbdc-5beb-ace3-acb6d7705543", "value": "NightClub" }, + { + "description": "[Nightdoor](https://app.tidalcyber.com/software/858084e7-41ba-53f8-b530-0286bf4ea764) is a backdoor exclusively associated with [Daggerfly](https://app.tidalcyber.com/groups/f0dab388-1641-50aa-b0b2-6bdb816e0490) operations. [Nightdoor](https://app.tidalcyber.com/software/858084e7-41ba-53f8-b530-0286bf4ea764) uses common libraries with [MgBot](https://app.tidalcyber.com/software/df390ec3-6557-524d-8a89-3fceff24ca96) and [MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb), linking these malware families together.[[ESET EvasivePanda 2024](https://app.tidalcyber.com/references/07e6b866-7119-50ad-8a6e-80c4e0d594bf)][[Symantec Daggerfly 2024](https://app.tidalcyber.com/references/1dadd09e-e7b0-50a1-ba3d-413780dbeb80)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1147", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "f0dab388-1641-50aa-b0b2-6bdb816e0490", + "type": "used-by" + } + ], + "uuid": "858084e7-41ba-53f8-b530-0286bf4ea764", + "value": "Nightdoor" + }, { "description": "[Ninja](https://app.tidalcyber.com/software/2dd26ff0-22d6-591b-9054-78e84fa3e05c) is a malware developed in C++ that has been used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) to penetrate networks and control remote systems since at least 2020. [Ninja](https://app.tidalcyber.com/software/2dd26ff0-22d6-591b-9054-78e84fa3e05c) is possibly part of a post exploitation toolkit exclusively used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) and allows multiple operators to work simultaneously on the same machine. [Ninja](https://app.tidalcyber.com/software/2dd26ff0-22d6-591b-9054-78e84fa3e05c) has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by [Samurai](https://app.tidalcyber.com/software/bd75c822-7be6-5e6f-bd2e-0512be6d38d9).[[Kaspersky ToddyCat June 2022](https://app.tidalcyber.com/references/285c038b-e5fc-57ef-9a98-d9e24c52e2cf)]", "meta": { @@ -15764,6 +16860,32 @@ "uuid": "2dd26ff0-22d6-591b-9054-78e84fa3e05c", "value": "Ninja" }, + { + "description": "NinjaOne (formerly NinjaRMM) is a remote monitoring and management (\"RMM\") tool that adversaries such as Storm-0501 have abused for command and control and persistence purposes.[[Microsoft Security Blog September 26 2024](/references/bf05138b-f690-4b0f-ba10-9af71f7d9bfc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3394", + "source": "Tidal Cyber", + "tags": [ + "e727eaa6-ef41-4965-b93a-8ad0c51d0236", + "e1af18e3-3224-4e4c-9d0f-533768474508" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + } + ], + "uuid": "72373c4f-32f9-4780-84c7-458eece354f2", + "value": "NinjaRMM" + }, { "description": "NirSoft is a self-described \"freeware\" utility that can be used to recover passwords.[[NirSoft Website](/references/024e4e25-aab7-4231-bb4b-5e399d02d7b2)] According to U.S. cybersecurity authorities, ransomware actors such as those associated with the Royal ransomware operation have used the NirSoft utility to harvest passwords for malicious purposes.[[#StopRansomware: Royal Ransomware | CISA](/references/dd094572-da2e-4e54-9e54-b243dd4fcd2b)]", "meta": { @@ -15816,30 +16938,30 @@ ] }, "related": [ - { - "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", - "type": "used-by" - }, - { - "dest-uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", - "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, { "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "type": "used-by" }, + { + "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", + "type": "used-by" + }, { "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", "type": "used-by" }, + { + "dest-uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", + "type": "used-by" + }, { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" @@ -15875,6 +16997,9 @@ "software_attack_id": "S0359", "source": "MITRE", "tags": [ + "51006447-540b-4b9d-bdba-1cbff8038ae9", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -15889,22 +17014,10 @@ ] }, "related": [ - { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", - "type": "used-by" - }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, - { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", - "type": "used-by" - }, - { - "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", - "type": "used-by" - }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -15913,16 +17026,40 @@ "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, + { + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "type": "used-by" + }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, + { + "dest-uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" + }, + { + "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { @@ -15966,11 +17103,11 @@ }, "related": [ { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { - "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" }, { @@ -16063,6 +17200,25 @@ "uuid": "d1817595-9186-4749-aeab-26c774c1885d", "value": "Npcap" }, + { + "description": "NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.[[Huntress NPPSPY 2022](https://app.tidalcyber.com/references/833c22ac-4f65-521a-9eda-8d22e255577e)][[Polak NPPSPY 2004](https://app.tidalcyber.com/references/ab5872b0-a755-5d85-8750-0b22f00ccb37)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1131", + "source": "MITRE", + "tags": [ + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" + ], + "type": [ + "tool" + ] + }, + "related": [], + "uuid": "d28ac865-35d2-5522-8454-d0f2178b3078", + "value": "NPPSPY" + }, { "description": "Ntdsutil is a Windows command-line tool \"that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).\"[[Ntdsutil Microsoft](/references/34de2f08-0481-4894-80ef-86506d821cf0)]", "meta": { @@ -16088,10 +17244,6 @@ ] }, "related": [ - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -16116,6 +17268,10 @@ "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" @@ -16507,10 +17663,6 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, - { - "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", - "type": "used-by" - }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -16523,6 +17675,10 @@ "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, + { + "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "type": "used-by" + }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" @@ -16638,7 +17794,7 @@ "value": "Out1" }, { - "description": "[OutSteel](https://app.tidalcyber.com/software/042fe42b-f60e-45e1-b47d-a913e0677976) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) since at least March 2021.[[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]", + "description": "[OutSteel](https://app.tidalcyber.com/software/042fe42b-f60e-45e1-b47d-a913e0677976) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Saint Bear](https://app.tidalcyber.com/groups/eb64ce69-f106-5e8e-8efd-a29385a05973) since at least March 2021.[[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]", "meta": { "platforms": [ "Windows" @@ -16655,7 +17811,7 @@ }, "related": [ { - "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "dest-uuid": "eb64ce69-f106-5e8e-8efd-a29385a05973", "type": "used-by" } ], @@ -16741,14 +17897,17 @@ "description": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[[GitHub Pacu](https://app.tidalcyber.com/references/bda43b1b-ea8d-4371-9984-6d8a7cc24965)]", "meta": { "platforms": [ - "IaaS" + "GCP", + "AWS", + "IaaS", + "Azure" ], "software_attack_id": "S1091", "source": "MITRE", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", "e1af18e3-3224-4e4c-9d0f-533768474508", "e81ba503-60b0-4b64-8f20-ef93e7783796", - "a2e000da-8181-4327-bacd-32013dbd3654", "2e5f6e4a-4579-46f7-9997-6923180815dd", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], @@ -16891,6 +18050,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "type": "used-by" } ], "uuid": "4d79530c-2fd9-4438-a8da-74f42119695a", @@ -17172,6 +18335,28 @@ "uuid": "5028ed72-8e6b-48bd-b4f4-e42df926893d", "value": "Pester" }, + { + "description": "Phemedrone is reportedly an \"open-source\" infostealer malware, written in C#, that is typically circulated via Telegram.[[SpyCloud Phemedrone September 6 2024](/references/f6612b6c-6bed-474f-9ff3-ae3024d099c2)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3398", + "source": "Tidal Cyber", + "tags": [ + "4d767e87-4cf6-438a-927a-43d2d0beaab7", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "30ca44b9-8645-4b51-af77-58e85897f7f9", + "value": "Phemedrone" + }, { "description": "This object represents a collection of MITRE ATT&CK® Techniques associated with Phobos ransomware binaries, as highlighted in sources such as joint Cybersecurity Advisory AA24-060A.[[U.S. CISA Phobos February 29 2024](/references/bd6f9bd3-22ec-42fc-9d85-fdc14dcfa55a)]", "meta": { @@ -17256,7 +18441,32 @@ "value": "PHOREAL" }, { - "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nPikabot is a malware first observed in early 2023 that has downloader/dropper and backdoor functionality. Researchers observed Pikabot distribution increase following the disruption of the QakBot botnet by authorities in August 2023. Originally distributed via spam email campaigns, researchers observed the threat actor TA577 (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike) distributing Pikabot starting in December 2023.[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]", + "description": "[Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) is a backdoor used for initial access and follow-on tool deployment active since early 2023. [Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. [Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) has some overlaps with [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea), but insufficient evidence exists to definitively link these two malware families. [Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) is frequently used to deploy follow on tools such as [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) or ransomware variants.[[Zscaler Pikabot 2023](https://app.tidalcyber.com/references/7d3785e3-52db-54ec-ad54-32a2ecdb451f)][[Elastic Pikabot 2024](https://app.tidalcyber.com/references/6c222f33-f588-513c-9149-4c2308e05319)][[Logpoint Pikabot 2024](https://app.tidalcyber.com/references/5136cc70-ba63-551c-aa7f-ab4c57980a1c)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1145", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "84615fe0-c2a5-4e07-8957-78ebc29b4635" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "type": "used-by" + } + ], + "uuid": "fb1b0624-3290-5977-abbc-bc9609b51f8d", + "value": "Pikabot" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Pikabot\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nPikabot is a malware first observed in early 2023 that has downloader/dropper and backdoor functionality. Researchers observed Pikabot distribution increase following the disruption of the QakBot botnet by authorities in August 2023. Originally distributed via spam email campaigns, researchers observed the threat actor TA577 (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike) distributing Pikabot starting in December 2023.[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -17280,7 +18490,7 @@ } ], "uuid": "d2a226a2-ffa1-4bb0-a090-96dc42f9c84c", - "value": "Pikabot" + "value": "Pikabot (Deprecated)" }, { "description": "[Pillowmint](https://app.tidalcyber.com/software/db5d718b-1344-4aa2-8e6a-54e68d8adfb1) is a point-of-sale malware used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) designed to capture credit card information.[[Trustwave Pillowmint June 2020](https://app.tidalcyber.com/references/31bf381d-a0fc-4a4f-8d39-832480891685)]", @@ -17347,44 +18557,32 @@ ] }, "related": [ + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, - { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", - "type": "used-by" - }, - { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", - "type": "used-by" - }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", - "type": "used-by" - }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { - "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { - "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "type": "used-by" + }, + { + "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" }, { @@ -17399,6 +18597,10 @@ "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, + { + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "type": "used-by" + }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" @@ -17406,6 +18608,14 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", + "type": "used-by" + }, + { + "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", + "type": "used-by" } ], "uuid": "4ea12106-c0a1-4546-bb64-a1675d9f5dc7", @@ -17574,7 +18784,37 @@ "value": "PLAINTEE" }, { - "description": "Play is a ransomware operation first observed in July 2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokayawa ransomwares, which themselves are believed to be linked.[[Trend Micro Play Playbook September 06 2022](/references/2d2b527d-25b0-4b58-9ae6-c87060b64069)] According to publicly available ransomware extortion threat data, Play has claimed nearly 200 victims from a wide range of sectors on its data leak site since December 2022.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", + "description": "[Playcrypt](https://app.tidalcyber.com/software/2d3d6034-21f7-5211-ab8a-338dada7082f) is a ransomware that has been used by [Play](https://app.tidalcyber.com/groups/60f686d0-ae3d-5662-af32-119217dee2a7) since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Playcrypt](https://app.tidalcyber.com/software/2d3d6034-21f7-5211-ab8a-338dada7082f) derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.[[Microsoft PlayCrypt August 2022](https://app.tidalcyber.com/references/af4a38bc-32d5-5eab-a13a-0f3533beedb1)][[CISA Play Ransomware Advisory December 2023](https://app.tidalcyber.com/references/b47f5430-25d4-5502-9219-674daed4e2c5)][[Trend Micro Ransomware Spotlight Play July 2023](https://app.tidalcyber.com/references/399eac4c-5638-595c-9ee6-997dcd2d47c3)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1162", + "source": "MITRE", + "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", + "type": "used-by" + }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + } + ], + "uuid": "2d3d6034-21f7-5211-ab8a-338dada7082f", + "value": "Playcrypt" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Playcrypt\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nPlay is a ransomware operation first observed in July 2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokayawa ransomwares, which themselves are believed to be linked.[[Trend Micro Play Playbook September 06 2022](/references/2d2b527d-25b0-4b58-9ae6-c87060b64069)] According to publicly available ransomware extortion threat data, Play has claimed nearly 200 victims from a wide range of sectors on its data leak site since December 2022.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -17596,16 +18836,16 @@ }, "related": [ { - "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" } ], "uuid": "aeafc9f4-e3b4-42ec-a156-4a05f1aa5ea3", - "value": "Play Ransomware" + "value": "Play Ransomware (Deprecated)" }, { "description": "[PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) is a remote access tool (RAT) and downloader used by [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[[TrendMicro BlackTech June 2017](https://app.tidalcyber.com/references/abb9cb19-d30e-4048-b106-eb29a6dad7fc)][[JPCert PLEAD Downloader June 2018](https://app.tidalcyber.com/references/871f4af2-ed99-4256-a74d-b8c0816a82ab)] [PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) has also been referred to as [TSCookie](https://app.tidalcyber.com/software/9872ab5a-c76e-4404-91f9-5b745722443b), though more recent reporting indicates likely separation between the two. [PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) was observed in use as early as March 2017.[[JPCert TSCookie March 2018](https://app.tidalcyber.com/references/ff1717f7-0d2e-4947-87d7-44576affe9f8)][[JPCert PLEAD Downloader June 2018](https://app.tidalcyber.com/references/871f4af2-ed99-4256-a74d-b8c0816a82ab)]", @@ -17661,6 +18901,10 @@ ] }, "related": [ + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" @@ -17669,10 +18913,6 @@ "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, - { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -17698,37 +18938,21 @@ }, "related": [ { - "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", - "type": "used-by" - }, - { - "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", - "type": "used-by" - }, - { - "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", - "type": "used-by" - }, - { - "dest-uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + }, + { + "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", + "type": "used-by" + }, { "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "type": "used-by" @@ -17738,11 +18962,11 @@ "type": "used-by" }, { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, { - "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", + "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", "type": "used-by" }, { @@ -17752,6 +18976,26 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" + }, + { + "dest-uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", + "type": "used-by" + }, + { + "dest-uuid": "f0dab388-1641-50aa-b0b2-6bdb816e0490", + "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", + "type": "used-by" } ], "uuid": "070b56f4-7810-4dad-b85f-bdfce9c08c10", @@ -17832,42 +19076,10 @@ ] }, "related": [ - { - "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", - "type": "used-by" - }, - { - "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", - "type": "used-by" - }, - { - "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", - "type": "used-by" - }, - { - "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", - "type": "used-by" - }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, - { - "dest-uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29", - "type": "used-by" - }, - { - "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", - "type": "used-by" - }, - { - "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", - "type": "used-by" - }, - { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", - "type": "used-by" - }, { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" @@ -17876,10 +19088,42 @@ "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, + { + "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "type": "used-by" + }, + { + "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", + "type": "used-by" + }, + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + }, + { + "dest-uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29", + "type": "used-by" + }, + { + "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", + "type": "used-by" + }, + { + "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", + "type": "used-by" + }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, + { + "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "type": "used-by" + }, + { + "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", + "type": "used-by" + }, { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" @@ -17889,7 +19133,7 @@ "type": "used-by" }, { - "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" } ], @@ -18022,12 +19266,16 @@ }, "related": [ { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" } ], "uuid": "a3a03835-79bf-4558-8e80-7983aeb842fb", @@ -18227,11 +19475,11 @@ }, "related": [ { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { @@ -18242,33 +19490,33 @@ "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, - { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", - "type": "used-by" - }, - { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", - "type": "used-by" - }, - { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", - "type": "used-by" - }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" + }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" } ], "uuid": "82fad10d-c921-4a87-a533-49def83d002b", @@ -18378,13 +19626,21 @@ }, "related": [ { - "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -18396,10 +19652,6 @@ { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" - }, - { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", - "type": "used-by" } ], "uuid": "b8a101e4-e0d2-4002-94c6-18ea30da7aa7", @@ -18622,6 +19874,10 @@ ] }, "related": [ + { + "dest-uuid": "753c7cd1-ca9f-4632-bbd2-fd55b9e70b10", + "type": "used-by" + }, { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" @@ -18667,12 +19923,16 @@ "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", "type": "used-by" }, { @@ -18862,10 +20122,46 @@ ] }, "related": [ + { + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "type": "used-by" + }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, + { + "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", + "type": "used-by" + }, { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, + { + "dest-uuid": "753c7cd1-ca9f-4632-bbd2-fd55b9e70b10", + "type": "used-by" + }, + { + "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "type": "used-by" + }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" @@ -18875,67 +20171,7 @@ "type": "used-by" }, { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", - "type": "used-by" - }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, - { - "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", - "type": "used-by" - }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", - "type": "used-by" - }, - { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", - "type": "used-by" - }, - { - "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", - "type": "used-by" - }, - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, - { - "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", - "type": "used-by" - }, - { - "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", - "type": "used-by" - }, - { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", - "type": "used-by" - }, - { - "dest-uuid": "55b20209-c04a-47ab-805d-ace83522ef6a", - "type": "used-by" - }, - { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, - { - "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", - "type": "used-by" - }, - { - "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, { @@ -18943,15 +20179,7 @@ "type": "used-by" }, { - "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", - "type": "used-by" - }, - { - "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", - "type": "used-by" - }, - { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { @@ -18975,61 +20203,97 @@ "type": "used-by" }, { - "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", - "type": "used-by" - }, - { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", - "type": "used-by" - }, - { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", - "type": "used-by" - }, - { - "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", - "type": "used-by" - }, - { - "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", - "type": "used-by" - }, - { - "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, + { + "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "type": "used-by" + }, { "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", "type": "used-by" }, { - "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, - { - "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", "type": "used-by" }, + { + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "type": "used-by" + }, + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, + { + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "type": "used-by" + }, + { + "dest-uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "type": "used-by" + }, + { + "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", + "type": "used-by" + }, + { + "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", + "type": "used-by" + }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, + { + "dest-uuid": "55b20209-c04a-47ab-805d-ace83522ef6a", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", + "type": "used-by" + }, + { + "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", + "type": "used-by" + }, + { + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", + "type": "used-by" + }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, + { + "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "type": "used-by" + }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" @@ -19038,6 +20302,10 @@ "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" @@ -19045,6 +20313,22 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, + { + "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" } ], "uuid": "73eb32af-4bd3-4e21-8048-355edc55a9c6", @@ -19302,7 +20586,6 @@ "platforms": [ "macOS", "Linux", - "Android", "Windows" ], "software_attack_id": "S0192", @@ -19372,10 +20655,26 @@ ] }, "related": [ + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, + { + "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "type": "used-by" + }, + { + "dest-uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "type": "used-by" + }, { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" @@ -19383,14 +20682,6 @@ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" - }, - { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, - { - "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", - "type": "used-by" } ], "uuid": "313c78e9-488d-4fbc-a6e5-05c0df3cb8a4", @@ -19414,7 +20705,7 @@ }, "related": [ { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { @@ -19426,11 +20717,11 @@ "type": "used-by" }, { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { @@ -19474,6 +20765,7 @@ "software_attack_id": "S0583", "source": "MITRE", "tags": [ + "b802443a-37b2-4c38-addd-75e4efb1defd", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" @@ -19507,6 +20799,10 @@ ] }, "related": [ + { + "dest-uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -19538,8 +20834,9 @@ "software_attack_id": "S3141", "source": "Tidal Cyber", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "a2e000da-8181-4327-bacd-32013dbd3654", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -19568,8 +20865,9 @@ "software_attack_id": "S3123", "source": "Tidal Cyber", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "a2e000da-8181-4327-bacd-32013dbd3654", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -19684,24 +20982,28 @@ }, "related": [ { - "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", - "type": "used-by" - }, - { - "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, + { + "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", + "type": "used-by" + }, { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" + }, + { + "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" } ], "uuid": "4bab7c2b-5ec4-467e-8df4-f2e6996e136b", @@ -19846,7 +21148,32 @@ "value": "Quser" }, { - "description": "Raccoon Stealer is one of the most heavily used information & credential stealers (\"\"infostealers\"\") in recent years. The \"\"2.0\"\" version of Raccoon Stealer was observed in mid-2022, featuring new capabilities designed to improve its stealth.[[Sekoia.io Raccoon Stealer June 28 2022](/references/df0c9cbd-8692-497e-9f81-cf9e44a3a5cd)] Raccoon Stealer is licensed as a service, and like many other modern infostealer families, the relatively low cost of a Raccoon Stealer subscription (around $75 for weeklong access) contributes to the malware's popularity. Victim credentials acquired via Raccoon Stealer are often resold on illicit, automated marketplaces on the dark web.\n\nMore details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).", + "description": "[Raccoon Stealer](https://app.tidalcyber.com/software/8d717889-a101-54a8-8c8c-4aee8423d151) is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. [Raccoon Stealer](https://app.tidalcyber.com/software/8d717889-a101-54a8-8c8c-4aee8423d151) has experienced two periods of activity across two variants, from 2019 to March 2022, then resurfacing in a revised version in June 2022.[[S2W Racoon 2022](https://app.tidalcyber.com/references/b53a4c5f-ef68-50a7-ae2d-192b3ace860c)][[Sekoia Raccoon1 2022](https://app.tidalcyber.com/references/645bc346-747b-5b9b-984b-fa1057cf8eb1)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1148", + "source": "MITRE", + "tags": [ + "15787198-6c8b-4f79-bf50-258d55072fee", + "4d767e87-4cf6-438a-927a-43d2d0beaab7" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + } + ], + "uuid": "8d717889-a101-54a8-8c8c-4aee8423d151", + "value": "Raccoon Stealer" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Raccoon Stealer\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nRaccoon Stealer is one of the most heavily used information & credential stealers (\"\"infostealers\"\") in recent years. The \"\"2.0\"\" version of Raccoon Stealer was observed in mid-2022, featuring new capabilities designed to improve its stealth.[[Sekoia.io Raccoon Stealer June 28 2022](/references/df0c9cbd-8692-497e-9f81-cf9e44a3a5cd)] Raccoon Stealer is licensed as a service, and like many other modern infostealer families, the relatively low cost of a Raccoon Stealer subscription (around $75 for weeklong access) contributes to the malware's popularity. Victim credentials acquired via Raccoon Stealer are often resold on illicit, automated marketplaces on the dark web.\n\nMore details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -19869,7 +21196,7 @@ } ], "uuid": "7046193b-96c2-462b-9ba1-ea39a938e8e9", - "value": "Raccoon Stealer 2.0" + "value": "Raccoon Stealer 2.0 (Deprecated)" }, { "description": "Radmin is a free remote desktop software application. It has been abused by cyber threat actors such as Akira ransomware operators to facilitate remote access into victim networks.[[Sophos Akira May 9 2023](/references/1343b052-b158-4dad-9ed4-9dbb7bb778dd)]", @@ -19896,11 +21223,11 @@ }, "related": [ { - "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, { - "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { @@ -19920,9 +21247,10 @@ "software_attack_id": "S0481", "source": "MITRE", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "cb5803f0-8ab4-4ada-8540-7758dfc126e2", "5e7433ad-a894-4489-93bc-41e90da90019", - "a2e000da-8181-4327-bacd-32013dbd3654", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ @@ -20025,11 +21353,11 @@ }, "related": [ { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { - "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { @@ -20076,6 +21404,9 @@ "software_attack_id": "S3188", "source": "Tidal Cyber", "tags": [ + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "e809d252-12cc-494d-94f5-954c49eb87ce", "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a", "a159c91c-5258-49ea-af7d-e803008d97d3", "70dc52b0-f317-4134-8a42-71aea1443707", @@ -20142,7 +21473,38 @@ "value": "Rasautou" }, { - "description": "A highly active worm that spreads through removable media devices and abuses built-in Windows utilities after initial infection of the host. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware.[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)]\n\n**Delivers**: Cobalt Strike[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)], SocGholish[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)], Truebot[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)][[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/raspberryrobin/\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/Raspberry%20Robin", + "description": "[Raspberry Robin](https://app.tidalcyber.com/software/22841966-6888-5ae5-8546-fd777cd66ca4) is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. [Raspberry Robin](https://app.tidalcyber.com/software/22841966-6888-5ae5-8546-fd777cd66ca4) has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as [SocGholish](https://app.tidalcyber.com/software/ab84f259-9b9a-51d8-a68a-2bcd7512d760), [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433), and [Bumblebee](https://app.tidalcyber.com/software/cc155181-fb34-4aaf-b083-b7b57b140b7a).[[TrendMicro RaspberryRobin 2022](https://app.tidalcyber.com/references/b454f50a-57fe-56f2-a8c0-ae1ab65fa945)][[RedCanary RaspberryRobin 2022](https://app.tidalcyber.com/references/ca6aa417-3da7-5173-818c-c539983033b5)][[HP RaspberryRobin 2024](https://app.tidalcyber.com/references/f01c041a-f8f5-51de-ab2f-1f513bf6d38c)] The DLL componenet in the [Raspberry Robin](https://app.tidalcyber.com/software/22841966-6888-5ae5-8546-fd777cd66ca4) infection chain is also referred to as \"Roshtyak.\"[[Avast RaspberryRobin 2022](https://app.tidalcyber.com/references/3ebeefee-42cd-5130-8d6b-d0520d8bb8c2)] The name \"Raspberry Robin\" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.[[Microsoft RaspberryRobin 2022](https://app.tidalcyber.com/references/fe2dd68c-6e25-5fae-bc57-3a072ecf4f72)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1130", + "source": "MITRE", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "15787198-6c8b-4f79-bf50-258d55072fee", + "e809d252-12cc-494d-94f5-954c49eb87ce" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", + "type": "used-by" + } + ], + "uuid": "22841966-6888-5ae5-8546-fd777cd66ca4", + "value": "Raspberry Robin" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Raspberry Robin\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nA highly active worm that spreads through removable media devices and abuses built-in Windows utilities after initial infection of the host. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware.[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)]\n\n**Delivers**: Cobalt Strike[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)], SocGholish[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)], Truebot[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)][[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/raspberryrobin/\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/Raspberry%20Robin", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -20171,7 +21533,7 @@ } ], "uuid": "dc0dbd15-0916-43c7-a3b9-6dc3ce0771be", - "value": "Raspberry Robin" + "value": "Raspberry Robin (Deprecated)" }, { "description": "[RATANKBA](https://app.tidalcyber.com/software/40466d7d-a107-46aa-a6fc-180e0eef2c6b) is a remote controller tool used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). [RATANKBA](https://app.tidalcyber.com/software/40466d7d-a107-46aa-a6fc-180e0eef2c6b) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://app.tidalcyber.com/software/40466d7d-a107-46aa-a6fc-180e0eef2c6b) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [[Lazarus RATANKBA](https://app.tidalcyber.com/references/e3f9853f-29b0-4219-a488-a6ecfa16b09f)] [[RATANKBA](https://app.tidalcyber.com/references/7d08ec64-7fb8-4520-b26b-95b0dee891fe)]", @@ -20276,14 +21638,6 @@ "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, - { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", - "type": "used-by" - }, - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" @@ -20293,11 +21647,11 @@ "type": "used-by" }, { - "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { @@ -20309,13 +21663,37 @@ "type": "used-by" }, { - "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, + { + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "type": "used-by" + }, + { + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "type": "used-by" + }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" @@ -20323,10 +21701,6 @@ { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" - }, - { - "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", - "type": "used-by" } ], "uuid": "1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4", @@ -20349,11 +21723,11 @@ }, "related": [ { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { - "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" } ], @@ -20543,10 +21917,38 @@ ] }, "related": [ + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, + { + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", + "type": "used-by" + }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, + { + "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", + "type": "used-by" + }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" @@ -20556,19 +21958,7 @@ "type": "used-by" }, { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", - "type": "used-by" - }, - { - "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", - "type": "used-by" - }, - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "dest-uuid": "f0dab388-1641-50aa-b0b2-6bdb816e0490", "type": "used-by" }, { @@ -20578,10 +21968,6 @@ { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" - }, - { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", - "type": "used-by" } ], "uuid": "d796615c-fa3d-4afd-817a-1a3db8c73532", @@ -20761,6 +22147,10 @@ "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" @@ -20979,17 +22369,57 @@ }, "related": [ { - "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", + "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { - "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "type": "used-by" + }, + { + "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" } ], "uuid": "2a5ea3a7-9873-4a2e-b4b5-4e27a80db305", "value": "Responder" }, + { + "description": "Restic is an open-source backup utility that adversaries have used to exfiltrate data from victim file shares to remote servers.[[The DFIR Report September 30 2024](/references/b2ee9f5e-ed34-4141-9740-8f6e37ba4f28)][[GuidePoint Security INC Ransomware August 14 2024](/references/414ff729-ba51-4c5a-a4ac-027e0d3c14df)][[Www.huntress.com March 13 2024](/references/e3931ba7-24de-4283-9941-fe927a75fb5e)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Linux", + "Windows" + ], + "software_attack_id": "S3393", + "source": "Tidal Cyber", + "tags": [ + "8bf128ad-288b-41bc-904f-093f4fdde745", + "e1af18e3-3224-4e4c-9d0f-533768474508" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, + { + "dest-uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "type": "used-by" + } + ], + "uuid": "1e3ea2d1-bd50-409d-9307-c1e6b70d2bb7", + "value": "Restic" + }, { "description": "[Revenge RAT](https://app.tidalcyber.com/software/f99712b4-37a2-437c-92d7-fb4f94a1f892) is a freely available remote access tool written in .NET (C#).[[Cylance Shaheen Nov 2018](https://app.tidalcyber.com/references/57802e46-e12c-4230-8d1c-08854a0de06a)][[Cofense RevengeRAT Feb 2019](https://app.tidalcyber.com/references/3abfc3eb-7f9d-49e5-8048-4118cde3122e)]", "meta": { @@ -21045,17 +22475,21 @@ ] }, "related": [ - { - "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", - "type": "used-by" - }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, + { + "dest-uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "type": "used-by" + }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", + "type": "used-by" } ], "uuid": "9314531e-bf46-4cba-9c19-198279ccf9cd", @@ -21085,6 +22519,32 @@ "uuid": "d5649d69-52d4-4198-9683-b250348dea32", "value": "RGDoor" }, + { + "description": "Rhadamanthys is an infostealer malware written in C++.[[Zscaler Rhadamanthys February 21 2023](/references/a289704d-952d-4150-b9cc-5c53e4b0a41f)] First identified in late 2022, the malware has continued to receive updates and new features, including an artificial intelligence-based capability reported in September 2024 where the malware uses optical character recognition (OCR) to automatically recognize and extract sensitive victim information from images.[[Recorded Future Rhadamanthys September 26 2024](/references/5e668cd3-5a5d-4b40-9d4b-6108489a9a91)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3403", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "type": "used-by" + } + ], + "uuid": "a12ce715-caa4-48ba-8d27-1c07d61e0d2f", + "value": "Rhadamanthys" + }, { "description": "Rhysida is a ransomware-as-a-service (RaaS) operation that has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)]", "meta": { @@ -21108,11 +22568,11 @@ }, "related": [ { - "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, { - "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", "type": "used-by" } ], @@ -21177,9 +22637,32 @@ "uuid": "19b1f1c8-5ef3-4328-b605-38e0bafc084d", "value": "Rising Sun" }, + { + "description": "[ROADSWEEP](https://app.tidalcyber.com/software/5452ec27-0deb-5f29-bed9-5ee838040438) is a ransomware that was deployed against Albanian government networks during [HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) along with the [CHIMNEYSWEEP](https://app.tidalcyber.com/software/966f4b5c-e5f3-598e-9ac0-a5174c56827b) backdoor.[[Mandiant ROADSWEEP August 2022](https://app.tidalcyber.com/references/0d81ec58-2e12-5824-aa53-feb0d2260f30)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1150", + "source": "MITRE", + "tags": [ + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "5452ec27-0deb-5f29-bed9-5ee838040438", + "value": "ROADSWEEP" + }, { "description": "[ROADTools](https://app.tidalcyber.com/software/15bc8e94-64d1-4f1f-bc99-08cfbac417dc) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.[[ROADtools Github](https://app.tidalcyber.com/references/90c592dc-2c9d-401a-96ab-b539f7522956)]", "meta": { + "platforms": [ + "Azure AD", + "Identity Provider" + ], "software_attack_id": "S0684", "source": "MITRE", "tags": [ @@ -21380,9 +22863,10 @@ "software_attack_id": "S1073", "source": "MITRE", "tags": [ + "c545270e-a6d4-4d89-af6e-d8be7219405d", + "b802443a-37b2-4c38-addd-75e4efb1defd", "b05fef45-bf36-47a0-b96a-cc76ac8a4f1e", "e551ae97-d1b4-484e-9267-89f33829ec2c", - "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", "15787198-6c8b-4f79-bf50-258d55072fee", "7e7b0c67-bb85-4996-a289-da0e792d7172" @@ -21493,10 +22977,6 @@ "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, - { - "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", - "type": "used-by" - }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -21505,6 +22985,10 @@ "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" @@ -21518,6 +23002,8 @@ "meta": { "platforms": [ "Office 365", + "Google Workspace", + "Office Suite", "Windows" ], "software_attack_id": "S0358", @@ -21555,6 +23041,10 @@ ] }, "related": [ + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + }, { "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" @@ -21742,7 +23232,7 @@ }, "related": [ { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { @@ -21750,7 +23240,7 @@ "type": "used-by" }, { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" } ], @@ -21758,7 +23248,36 @@ "value": "Ryuk" }, { - "description": "[Saint Bot](https://app.tidalcyber.com/software/d66e5d18-e9f5-4091-bdf4-acdac129e2e0) is a .NET downloader that has been used by [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) since at least March 2021.[[Malwarebytes Saint Bot April 2021](https://app.tidalcyber.com/references/3a1faa47-7bd3-453f-9b7a-bb17efb8bb3c)][[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]", + "description": "54bb47h (\"Sabbath\") refers to the branding used by a ransomware operation in 2021. UNC2190 (aka Storm-0501) actors, who have leveraged a considerable number of distinct ransomware families, were observed deploying Sabbath ransomware during attacks on critical infrastructure organizations from June through at least October of that year.[[Mandiant Sabbath Ransomware November 29 2021](/references/ab3a20a5-2df1-4f8e-989d-baa96ffaca74)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3392", + "source": "Tidal Cyber", + "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" + } + ], + "uuid": "28134511-b91e-4b69-962d-74e80ac6305b", + "value": "Sabbath Ransomware" + }, + { + "description": "[Saint Bot](https://app.tidalcyber.com/software/d66e5d18-e9f5-4091-bdf4-acdac129e2e0) is a .NET downloader that has been used by [Saint Bear](https://app.tidalcyber.com/groups/eb64ce69-f106-5e8e-8efd-a29385a05973) since at least March 2021.[[Malwarebytes Saint Bot April 2021](https://app.tidalcyber.com/references/3a1faa47-7bd3-453f-9b7a-bb17efb8bb3c)][[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]", "meta": { "platforms": [ "Windows" @@ -21773,6 +23292,10 @@ ] }, "related": [ + { + "dest-uuid": "eb64ce69-f106-5e8e-8efd-a29385a05973", + "type": "used-by" + }, { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" @@ -21988,7 +23511,7 @@ }, "related": [ { - "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { @@ -21996,7 +23519,11 @@ "type": "used-by" }, { - "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", + "type": "used-by" + }, + { + "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { @@ -22026,10 +23553,6 @@ { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" - }, - { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", - "type": "used-by" } ], "uuid": "2aacbf3a-a359-41d2-9a71-76447f0545b5", @@ -22167,6 +23690,10 @@ ] }, "related": [ + { + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "type": "used-by" + }, { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" @@ -22329,6 +23856,10 @@ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" + }, + { + "dest-uuid": "de72d564-6487-4cf3-be3e-0a961cf15d5d", + "type": "used-by" } ], "uuid": "a1fef846-cb22-4885-aa14-cb67ab38fce4", @@ -22500,7 +24031,7 @@ "type": "used-by" }, { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", "type": "used-by" }, { @@ -22514,6 +24045,10 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" + }, + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" } ], "uuid": "5190f50d-7e54-410a-9961-79ab751ddbab", @@ -22728,11 +24263,11 @@ }, "related": [ { - "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { @@ -23119,11 +24654,11 @@ }, "related": [ { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" }, { @@ -23411,6 +24946,7 @@ "software_attack_id": "S3045", "source": "Tidal Cyber", "tags": [ + "ac469e6e-92f0-4fd6-898f-95656b663caf", "d903e38b-600d-4736-9e3b-cf1a6e436481", "d819ae1a-e385-49fd-88d5-f66660729ecb", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -23434,10 +24970,6 @@ ] }, "related": [ - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -23446,16 +24978,20 @@ "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { @@ -23606,6 +25142,33 @@ "uuid": "93f8c180-6794-4e9c-b716-6b31f42eb72d", "value": "Spark" }, + { + "description": "SparrowDoor is a backdoor malware developed and used by the FamousSparrow (AKA GhostEmperor and Salt Typhoon) China-linked cyberespionage group.[[ESET FamousSparrow September 23 2021](/references/f91d6d8e-22a4-4851-9444-7a066e6b7aa5)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3406", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "753c7cd1-ca9f-4632-bbd2-fd55b9e70b10", + "type": "used-by" + } + ], + "uuid": "5dd68837-4c22-4677-88f5-cd4d2f444631", + "value": "SparrowDoor" + }, { "description": "[SpeakUp](https://app.tidalcyber.com/software/b9b67878-4eb1-4a0b-9b36-a798881ed566) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [[CheckPoint SpeakUp Feb 2019](https://app.tidalcyber.com/references/8f0d6a8d-6bd4-4df5-aa28-70e1ec4b0b12)]", "meta": { @@ -23704,6 +25267,30 @@ "uuid": "cdbebd0a-3036-4a24-b1d5-a3f0ca9c758e", "value": "Sphynx" }, + { + "description": "[Spica](https://app.tidalcyber.com/software/8a85fe96-fd08-55d1-ac4c-52d545b43bd1) is a custom backdoor written in Rust that has been used by [Star Blizzard](https://app.tidalcyber.com/groups/649642a4-0659-5e10-ae19-1282f73a1785) since at least 2023.[[Google TAG COLDRIVER January 2024](https://app.tidalcyber.com/references/cff26ad8-b8dc-557d-9751-530f7ebfaa02)] ", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1140", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "649642a4-0659-5e10-ae19-1282f73a1785", + "type": "used-by" + } + ], + "uuid": "8a85fe96-fd08-55d1-ac4c-52d545b43bd1", + "value": "Spica" + }, { "description": "[SpicyOmelette](https://app.tidalcyber.com/software/2be9e22d-0af8-46f5-b30e-b3712ccf716d) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) since at least 2018.[[Secureworks GOLD KINGSWOOD September 2018](https://app.tidalcyber.com/references/cda529b2-e152-4ff0-a6b3-d0305b09fef9)]", "meta": { @@ -23760,11 +25347,11 @@ }, "related": [ { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { @@ -23813,6 +25400,10 @@ { "dest-uuid": "3b8a2c50-5d8e-49b4-bd50-10ae66ca6c72", "type": "used-by" + }, + { + "dest-uuid": "33a5fa48-89ee-5c0b-9c9c-e0ee69032fca", + "type": "used-by" } ], "uuid": "9a20c7f3-4e17-4a79-994a-c577afef5c72", @@ -24513,6 +26104,37 @@ "uuid": "f2928533-34e1-4599-a3ec-c8b4ef9d81b4", "value": "SyncAppvPublishingServer" }, + { + "description": "Syncro is a legitimate administration tool that adversaries such as Luna Moth and Royal ransomware actors have abused for remote control of victim systems.[[Sygnia Luna Moth July 1 2022](/references/115590b2-ab57-432c-900e-000627464a11)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Windows" + ], + "software_attack_id": "S3397", + "source": "Tidal Cyber", + "tags": [ + "e727eaa6-ef41-4965-b93a-8ad0c51d0236", + "e1af18e3-3224-4e4c-9d0f-533768474508" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + } + ], + "uuid": "dbaf96a0-fe83-4ff1-bb16-ca357fad7f7f", + "value": "Syncro" + }, { "description": "[SYNful Knock](https://app.tidalcyber.com/software/69ab291d-5066-4e47-9862-1f5c7bac7200) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.[[Mandiant - Synful Knock](https://app.tidalcyber.com/references/1f6eaa98-9184-4341-8634-5512a9c632dd)][[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]", "meta": { @@ -24613,20 +26235,20 @@ ] }, "related": [ - { - "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", - "type": "used-by" - }, - { - "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", - "type": "used-by" - }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { - "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, + { + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { @@ -24634,7 +26256,15 @@ "type": "used-by" }, { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "dest-uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "type": "used-by" + }, + { + "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "type": "used-by" + }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", "type": "used-by" } ], @@ -24661,15 +26291,7 @@ }, "related": [ { - "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, - { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { @@ -24677,25 +26299,33 @@ "type": "used-by" }, { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", - "type": "used-by" - }, - { - "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, + { + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "type": "used-by" + }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + }, + { + "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" @@ -24768,11 +26398,11 @@ }, "related": [ { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" } ], @@ -24950,14 +26580,6 @@ ] }, "related": [ - { - "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", - "type": "used-by" - }, - { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", - "type": "used-by" - }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -24967,11 +26589,11 @@ "type": "used-by" }, { - "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { @@ -24997,6 +26619,14 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "type": "used-by" + }, + { + "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", + "type": "used-by" } ], "uuid": "abae8f19-9497-4a71-82b6-ae6edd26ad98", @@ -25064,11 +26694,11 @@ }, "related": [ { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" } ], @@ -25148,6 +26778,7 @@ "software_attack_id": "S3048", "source": "Tidal Cyber", "tags": [ + "224f0291-af3d-47e5-a259-4bfcb642645a", "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "af5e9be5-b86e-47af-91dd-966a5e34a186", @@ -25166,11 +26797,11 @@ }, "related": [ { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { - "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", + "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" }, { @@ -25181,6 +26812,10 @@ "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" @@ -25200,10 +26835,6 @@ { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" - }, - { - "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", - "type": "used-by" } ], "uuid": "6b5f6eb4-4cdd-4383-8623-d1f7de486865", @@ -25447,6 +27078,7 @@ "software_attack_id": "S3054", "source": "Tidal Cyber", "tags": [ + "cb35f72d-c98a-4018-ba66-8750533bc8fa", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -25587,20 +27219,20 @@ "dest-uuid": "42a7c134-c574-430b-8105-bf7a00e742ae", "type": "used-by" }, - { - "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", - "type": "used-by" - }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, + { + "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" }, { @@ -25610,6 +27242,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" } ], "uuid": "8c70d85b-b06d-423c-8bab-ecff18f332d6", @@ -25693,6 +27329,10 @@ ] }, "related": [ + { + "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", + "type": "used-by" + }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" @@ -25700,10 +27340,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", - "type": "used-by" } ], "uuid": "c2bd4213-fc7b-474f-b5a0-28145b07c51d", @@ -25768,6 +27404,10 @@ ] }, "related": [ + { + "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", + "type": "used-by" + }, { "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" @@ -25775,10 +27415,6 @@ { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" - }, - { - "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", - "type": "used-by" } ], "uuid": "669f8b7a-2404-47ab-843d-e63431faafec", @@ -26209,6 +27845,14 @@ "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" }, + { + "dest-uuid": "e1e72810-4661-54c7-b05e-859128fb327d", + "type": "used-by" + }, + { + "dest-uuid": "ac3426c4-6d7e-4e99-9546-266fb7fd8c44", + "type": "used-by" + }, { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" @@ -26486,6 +28130,30 @@ "uuid": "afa4023f-aa2e-45d6-bb3c-38e61f876eac", "value": "VERMIN" }, + { + "description": "[VersaMem](https://app.tidalcyber.com/software/ea857bb3-408e-566f-a693-96d9dc4f3c90) is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, [VersaMem](https://app.tidalcyber.com/software/ea857bb3-408e-566f-a693-96d9dc4f3c90) was used during [Versa Director Zero Day Exploitation](https://app.tidalcyber.com/campaigns/e28a09b7-885f-5556-b56e-7ad3e0581ac0) by [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) to target ISPs and MSPs. [VersaMem](https://app.tidalcyber.com/software/ea857bb3-408e-566f-a693-96d9dc4f3c90) is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.[[Lumen Versa 2024](https://app.tidalcyber.com/references/1d7f40f7-76e6-5ba2-8561-17f3646cf407)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1154", + "source": "MITRE", + "tags": [ + "311abf64-a9cc-4c6a-b778-32c5df5658be" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + } + ], + "uuid": "ea857bb3-408e-566f-a693-96d9dc4f3c90", + "value": "VersaMem" + }, { "description": "Vidar Stealer is one of the most heavily used information & credential stealers (\"infostealers\") in recent years. While many of today's most popular infostealers were developed relatively recently, Vidar is more established, having been released in 2018. Its developers continue to add new capabilities, however, for example to improve the malware's stealth.[[Minerva Labs Vidar Stealer Evasion](/references/ce9714d3-7f7c-4068-bcc8-0f0eeaf0dc0b)]\n\nMore details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).", "meta": { @@ -26582,6 +28250,32 @@ "uuid": "7fcfba45-5752-4f0c-8023-db67729ae34e", "value": "Volgmer" }, + { + "description": "[VPNFilter](https://app.tidalcyber.com/software/b2ea039c-3cd4-54f4-a46f-9ee79fe6350b) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://app.tidalcyber.com/software/b2ea039c-3cd4-54f4-a46f-9ee79fe6350b) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. [[William Largent June 2018](https://app.tidalcyber.com/references/ccc34a5f-e17d-5b4c-84cf-ccff3ff9d845)] [[Carl Hurd March 2019](https://app.tidalcyber.com/references/8a4e28f9-b0ba-56ad-a957-b5913bf9a7d5)] [VPNFilter](https://app.tidalcyber.com/software/b2ea039c-3cd4-54f4-a46f-9ee79fe6350b) was assessed to be replaced by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) with [Cyclops Blink](https://app.tidalcyber.com/software/68792756-7dbf-41fd-8d48-ac3cc2b52712) starting in 2019.[[NCSC CISA Cyclops Blink Advisory February 2022](https://app.tidalcyber.com/references/bee6cf85-5cb9-4000-b82e-9e15aebfbece)]", + "meta": { + "platforms": [ + "Network", + "Linux" + ], + "software_attack_id": "S1010", + "source": "MITRE", + "tags": [ + "2e621fc5-dea4-4cb9-987e-305845986cd3", + "4d767e87-4cf6-438a-927a-43d2d0beaab7" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "type": "used-by" + } + ], + "uuid": "b2ea039c-3cd4-54f4-a46f-9ee79fe6350b", + "value": "VPNFilter" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Command-line tool used for performing diagnostics.\n\n**Author:** Bobby Cooke\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe\n\n**Resources:**\n* [https://twitter.com/0xBoku/status/1679200664013135872](https://twitter.com/0xBoku/status/1679200664013135872)\n\n**Detection:**\n* Sigma: [https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml](https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml)[[VSDiagnostics.exe - LOLBAS Project](/references/b4658fc0-af16-45b1-8403-a9676760a36a)]", "meta": { @@ -26709,6 +28403,10 @@ ] }, "related": [ + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" @@ -26824,14 +28522,6 @@ ] }, "related": [ - { - "dest-uuid": "d0f29889-7a9c-44d8-abdc-480b371f7b2b", - "type": "used-by" - }, - { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -26839,6 +28529,14 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" + }, + { + "dest-uuid": "d0f29889-7a9c-44d8-abdc-480b371f7b2b", + "type": "used-by" + }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" } ], "uuid": "cfebe868-15cb-4be5-b7ed-38b52f2a0722", @@ -26987,29 +28685,37 @@ ] }, "related": [ - { - "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", - "type": "used-by" - }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, - { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", - "type": "used-by" - }, - { - "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", - "type": "used-by" - }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" + }, + { + "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", + "type": "used-by" + }, + { + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "type": "used-by" + }, + { + "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", + "type": "used-by" + }, + { + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" } ], "uuid": "2bcbcea6-192a-4501-aab1-1edde53875fa", @@ -27068,6 +28774,28 @@ "uuid": "791f0afd-c2c4-4e23-8aee-1d14462667f5", "value": "WhisperGate" }, + { + "description": "Meduza is an information stealer written in .NET that was first advertised on hacking forums in February 2022.[[WhiteSnake Stealer RussianPanda July 4 2023](/references/e7b4651b-804a-47b7-bd74-341ac0e8a7a9)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3402", + "source": "Tidal Cyber", + "tags": [ + "4d767e87-4cf6-438a-927a-43d2d0beaab7", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "b036dde2-1f6a-403b-8c32-73119fbd9d37", + "value": "WhiteSnake" + }, { "description": "[Wiarp](https://app.tidalcyber.com/software/7b393608-c141-48af-ae3d-3eff13c3e01c) is a trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor on compromised hosts. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[Symantec Wiarp May 2012](https://app.tidalcyber.com/references/78285833-4b0d-4077-86d2-f34b010a5862)]", "meta": { @@ -27113,25 +28841,25 @@ "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, - { - "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", - "type": "used-by" - }, { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, + { + "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", + "type": "used-by" + }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" } ], "uuid": "7c2c44d7-b307-4e13-b181-52352975a6f5", @@ -27204,6 +28932,10 @@ ] }, "related": [ + { + "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", + "type": "used-by" + }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" @@ -27211,10 +28943,6 @@ { "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" - }, - { - "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", - "type": "used-by" } ], "uuid": "65d5b524-0e84-417d-9884-e2c501abfacd", @@ -27297,6 +29025,10 @@ ] }, "related": [ + { + "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -27322,6 +29054,10 @@ ] }, "related": [ + { + "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", + "type": "used-by" + }, { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" @@ -27363,16 +29099,24 @@ "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, + { + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { - "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", + "dest-uuid": "753c7cd1-ca9f-4632-bbd2-fd55b9e70b10", "type": "used-by" }, { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", + "type": "used-by" + }, + { + "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" } ], @@ -27441,7 +29185,7 @@ "type": "used-by" }, { - "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { @@ -27453,7 +29197,7 @@ "type": "used-by" }, { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "dest-uuid": "60f686d0-ae3d-5662-af32-119217dee2a7", "type": "used-by" }, { @@ -27464,12 +29208,16 @@ "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" }, { @@ -27623,6 +29371,10 @@ "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", "type": "used-by" }, + { + "dest-uuid": "8957f42d-a069-542b-bce6-3059a2fa0f2e", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -27631,6 +29383,10 @@ "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, + { + "dest-uuid": "2cc28cf9-d030-4609-acdc-0b0429580bb4", + "type": "used-by" + }, { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" @@ -27916,11 +29672,11 @@ }, "related": [ { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" } ], @@ -27974,7 +29730,11 @@ "meta": { "owner": "TidalCyberIan", "platforms": [ - "Windows" + "IaaS", + "Linux", + "Windows", + "macOS", + "Containers" ], "software_attack_id": "S3089", "source": "Tidal Cyber", @@ -28138,6 +29898,10 @@ { "dest-uuid": "3b8a2c50-5d8e-49b4-bd50-10ae66ca6c72", "type": "used-by" + }, + { + "dest-uuid": "33a5fa48-89ee-5c0b-9c9c-e0ee69032fca", + "type": "used-by" } ], "uuid": "2992159c-d71c-48cf-8302-020f90332390", @@ -28228,6 +29992,30 @@ "uuid": "2f52b513-5293-4833-9c4d-b120e7a84341", "value": "Zeroaccess" }, + { + "description": "[ZeroCleare](https://app.tidalcyber.com/software/ba5668b0-18fe-513f-b3a7-93e16243d185) is a wiper malware that has been used in conjunction with the [RawDisk](https://app.tidalcyber.com/software/d86a562d-d235-4481-9a3f-273fa3ebe89a) driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.[[Microsoft Albanian Government Attacks September 2022](https://app.tidalcyber.com/references/d00399e9-a6c6-5691-92cd-0185b03b689e)][[CISA Iran Albanian Attacks September 2022](https://app.tidalcyber.com/references/c5d37bde-52bc-525a-b25a-e097f77a924a)][[Mandiant ROADSWEEP August 2022](https://app.tidalcyber.com/references/0d81ec58-2e12-5824-aa53-feb0d2260f30)][[IBM ZeroCleare Wiper December 2019](https://app.tidalcyber.com/references/26ba5292-265d-5db4-a571-215c984fe095)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1151", + "source": "MITRE", + "tags": [ + "2e621fc5-dea4-4cb9-987e-305845986cd3" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "ba5668b0-18fe-513f-b3a7-93e16243d185", + "value": "ZeroCleare" + }, { "description": "[ZeroT](https://app.tidalcyber.com/software/f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd) is a Trojan used by [TA459](https://app.tidalcyber.com/groups/e343c1f1-458c-467b-bc4a-c1b97b2127e3), often in conjunction with [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10). [[Proofpoint TA459 April 2017](https://app.tidalcyber.com/references/dabad6df-1e31-4c16-9217-e079f2493b02)] [[Proofpoint ZeroT Feb 2017](https://app.tidalcyber.com/references/63787035-f136-43e1-b445-22853bbed92b)]", "meta": { @@ -28353,6 +30141,43 @@ "uuid": "a106fb66-bd68-40cc-9374-8b59234a0cec", "value": "Zloader" }, + { + "description": "Zoho Assist is a legitimate administration tool that multiple prominent adversaries have abused to carry out remote activity on victim systems.[[Sygnia Luna Moth July 1 2022](/references/115590b2-ab57-432c-900e-000627464a11)][[U.S. CISA LockBit Citrix Bleed November 21 2023](/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)][[Unit 42 9 15 2023](/references/5e9842ae-180f-4645-a5f5-5ddfb8b2d810)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Linux", + "Windows" + ], + "software_attack_id": "S3396", + "source": "Tidal Cyber", + "tags": [ + "9c8319bf-0a97-4cea-a7be-6b8432cc35a1", + "e727eaa6-ef41-4965-b93a-8ad0c51d0236", + "e1af18e3-3224-4e4c-9d0f-533768474508" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + } + ], + "uuid": "195b0821-a81f-43c5-b9cb-05e9ee0dd5ac", + "value": "Zoho Assist" + }, { "description": "[Zox](https://app.tidalcyber.com/software/75dd9acb-fcff-4b0b-b45b-f943fb589d78) is a remote access tool that has been used by [Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca) since at least 2008.[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", "meta": { @@ -28409,21 +30234,21 @@ ] }, "related": [ - { - "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", - "type": "used-by" - }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" }, + { + "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" } ], "uuid": "eea89ff2-036d-4fa6-bbed-f89502c62318", diff --git a/clusters/tidal-tactic.json b/clusters/tidal-tactic.json index 55b3070..cd97ae8 100644 --- a/clusters/tidal-tactic.json +++ b/clusters/tidal-tactic.json @@ -137,10 +137,6 @@ "dest-uuid": "f2d216e3-43d6-4a2e-aa5b-d6be78d018b6", "type": "uses" }, - { - "dest-uuid": "40e4133b-28c2-4da7-9a6a-7392ae87f1da", - "type": "uses" - }, { "dest-uuid": "8af6a9ee-c323-44fa-85d3-29366fd1bb4f", "type": "uses" @@ -189,6 +185,10 @@ "dest-uuid": "7f953df5-c91f-4975-a579-2be3c89bca7e", "type": "uses" }, + { + "dest-uuid": "40e4133b-28c2-4da7-9a6a-7392ae87f1da", + "type": "uses" + }, { "dest-uuid": "113b8750-d166-5cac-bd26-2c82c90b9d88", "type": "uses" @@ -205,42 +205,6 @@ "tactic_attack_id": "TA0042" }, "related": [ - { - "dest-uuid": "66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3", - "type": "uses" - }, - { - "dest-uuid": "c30faf84-496b-4f27-a4bc-aa36d583c69f", - "type": "uses" - }, - { - "dest-uuid": "4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58", - "type": "uses" - }, - { - "dest-uuid": "bae33d7b-c835-4eda-b310-bf426270c0b1", - "type": "uses" - }, - { - "dest-uuid": "5bcbb0c5-7061-481f-a677-09028a6c59f7", - "type": "uses" - }, - { - "dest-uuid": "0f77a14a-d450-4885-b81f-23eeffa53a7e", - "type": "uses" - }, - { - "dest-uuid": "3426077d-3b9c-4f77-a1c6-d68f0dea670e", - "type": "uses" - }, - { - "dest-uuid": "fe96475a-3090-449d-91fd-ae73cb4d9c7c", - "type": "uses" - }, - { - "dest-uuid": "be637d66-5110-4872-bc15-63b062c3f290", - "type": "uses" - }, { "dest-uuid": "f2661f07-9027-4d19-9028-d07b7511f3d5", "type": "uses" @@ -378,11 +342,39 @@ "type": "uses" }, { - "dest-uuid": "60ac24aa-ce63-5c1d-8126-db20a27d85be", + "dest-uuid": "66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3", "type": "uses" }, { - "dest-uuid": "478da817-1914-50f6-b1fd-434081a34354", + "dest-uuid": "c30faf84-496b-4f27-a4bc-aa36d583c69f", + "type": "uses" + }, + { + "dest-uuid": "4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58", + "type": "uses" + }, + { + "dest-uuid": "bae33d7b-c835-4eda-b310-bf426270c0b1", + "type": "uses" + }, + { + "dest-uuid": "5bcbb0c5-7061-481f-a677-09028a6c59f7", + "type": "uses" + }, + { + "dest-uuid": "0f77a14a-d450-4885-b81f-23eeffa53a7e", + "type": "uses" + }, + { + "dest-uuid": "3426077d-3b9c-4f77-a1c6-d68f0dea670e", + "type": "uses" + }, + { + "dest-uuid": "fe96475a-3090-449d-91fd-ae73cb4d9c7c", + "type": "uses" + }, + { + "dest-uuid": "be637d66-5110-4872-bc15-63b062c3f290", "type": "uses" }, { @@ -392,6 +384,14 @@ { "dest-uuid": "f57c8d43-ca88-5351-9828-36b1937daf0e", "type": "uses" + }, + { + "dest-uuid": "60ac24aa-ce63-5c1d-8126-db20a27d85be", + "type": "uses" + }, + { + "dest-uuid": "478da817-1914-50f6-b1fd-434081a34354", + "type": "uses" } ], "uuid": "989d09c2-12b8-4419-9b34-a328cf295fff", @@ -457,10 +457,6 @@ "dest-uuid": "9953faea-d25d-4e6e-a132-8993535c5c14", "type": "uses" }, - { - "dest-uuid": "74b99029-3f0a-4cc8-90d6-5a6b177c06eb", - "type": "uses" - }, { "dest-uuid": "4557bfb9-b940-49b6-b8be-571979134419", "type": "uses" @@ -481,6 +477,10 @@ "dest-uuid": "d2a19fd8-ff9c-4f9e-9e84-ed3ea12c4b7c", "type": "uses" }, + { + "dest-uuid": "74b99029-3f0a-4cc8-90d6-5a6b177c06eb", + "type": "uses" + }, { "dest-uuid": "3f95e4f2-cd4a-502c-a12a-becb8d28440c", "type": "uses" @@ -629,12 +629,16 @@ "dest-uuid": "46f60fff-71a1-4cfd-b639-71a0ac903bbb", "type": "uses" }, + { + "dest-uuid": "6051e618-c476-41db-8b0b-0aef9d2bbbf7", + "type": "uses" + }, { "dest-uuid": "68427c7d-f65a-4545-abfd-13d69e5e50cf", "type": "uses" }, { - "dest-uuid": "6051e618-c476-41db-8b0b-0aef9d2bbbf7", + "dest-uuid": "88358f1a-07b2-5d95-8ee5-4b22b7cebe5b", "type": "uses" }, { @@ -809,10 +813,6 @@ "dest-uuid": "b0a1ef13-0c54-47e8-a220-7543ba41a327", "type": "uses" }, - { - "dest-uuid": "eff618a9-6498-4b01-bca1-cd5f3784fc27", - "type": "uses" - }, { "dest-uuid": "0df21d65-c885-415a-8f91-477ae1b37839", "type": "uses" @@ -917,6 +917,10 @@ "dest-uuid": "bd569ff9-c038-48c0-83d0-f5c784b439bc", "type": "uses" }, + { + "dest-uuid": "eff618a9-6498-4b01-bca1-cd5f3784fc27", + "type": "uses" + }, { "dest-uuid": "0ca28cc0-89d0-4680-baef-94d7202c6a9b", "type": "uses" @@ -1069,10 +1073,6 @@ "dest-uuid": "62c22cc4-5643-4679-a6ae-9f6a3147d2fe", "type": "uses" }, - { - "dest-uuid": "bce86020-2851-4b01-97a9-e51a6b23ea68", - "type": "uses" - }, { "dest-uuid": "3c4a2f3a-5877-4a27-a417-76318523657e", "type": "uses" @@ -1109,18 +1109,22 @@ "dest-uuid": "110c385f-9f27-4fd6-837c-6261294073ab", "type": "uses" }, + { + "dest-uuid": "bce86020-2851-4b01-97a9-e51a6b23ea68", + "type": "uses" + }, + { + "dest-uuid": "25a957d5-0c89-52a1-b446-bf993e17631c", + "type": "uses" + }, + { + "dest-uuid": "6823f994-6b4e-5170-ba2b-bd4bc6f0c452", + "type": "uses" + }, { "dest-uuid": "f1329084-6e9c-5933-83cd-56c1bf8439e3", "type": "uses" }, - { - "dest-uuid": "1169afd3-d80d-5942-b16f-8dc1812ef6bb", - "type": "uses" - }, - { - "dest-uuid": "0719ea2b-d630-5ada-9b04-c3136ff530ae", - "type": "uses" - }, { "dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5", "type": "uses" @@ -1132,6 +1136,14 @@ { "dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778", "type": "uses" + }, + { + "dest-uuid": "1169afd3-d80d-5942-b16f-8dc1812ef6bb", + "type": "uses" + }, + { + "dest-uuid": "0719ea2b-d630-5ada-9b04-c3136ff530ae", + "type": "uses" } ], "uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393", @@ -1365,10 +1377,6 @@ "dest-uuid": "0ca28cc0-89d0-4680-baef-94d7202c6a9b", "type": "uses" }, - { - "dest-uuid": "74e2b24b-3bf7-4361-bc07-983bffe674f7", - "type": "uses" - }, { "dest-uuid": "68ffdbed-08d8-46a2-a833-984bbf0d9b4a", "type": "uses" @@ -1465,6 +1473,10 @@ "dest-uuid": "7aae1ad0-fb1f-484a-a176-c94e4c7ada77", "type": "uses" }, + { + "dest-uuid": "74e2b24b-3bf7-4361-bc07-983bffe674f7", + "type": "uses" + }, { "dest-uuid": "45f107b6-ae8e-49d7-a3fc-ea6437fbac76", "type": "uses" @@ -1529,6 +1541,22 @@ "dest-uuid": "110c385f-9f27-4fd6-837c-6261294073ab", "type": "uses" }, + { + "dest-uuid": "25a957d5-0c89-52a1-b446-bf993e17631c", + "type": "uses" + }, + { + "dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5", + "type": "uses" + }, + { + "dest-uuid": "b9490b5f-645c-54a6-bf50-ad63540e6a07", + "type": "uses" + }, + { + "dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0", + "type": "uses" + }, { "dest-uuid": "71867386-ddc2-4cdb-a0c9-7c27172c23c1", "type": "uses" @@ -1560,18 +1588,6 @@ { "dest-uuid": "15660958-1f4f-4136-8cda-82123fd38232", "type": "uses" - }, - { - "dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5", - "type": "uses" - }, - { - "dest-uuid": "b9490b5f-645c-54a6-bf50-ad63540e6a07", - "type": "uses" - }, - { - "dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0", - "type": "uses" } ], "uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37", @@ -1597,10 +1613,6 @@ "dest-uuid": "5652575d-cdb9-44ef-9c32-fff038f15444", "type": "uses" }, - { - "dest-uuid": "81564f1d-9c72-4d03-8561-b0d255f76c5f", - "type": "uses" - }, { "dest-uuid": "852748c2-280b-41e8-ba87-d97ec9fade70", "type": "uses" @@ -1693,6 +1705,10 @@ "dest-uuid": "026c9281-07f1-4358-96d3-151fed76b1fe", "type": "uses" }, + { + "dest-uuid": "81564f1d-9c72-4d03-8561-b0d255f76c5f", + "type": "uses" + }, { "dest-uuid": "2f32c30e-b79a-497a-b05f-ab8bd93aa689", "type": "uses" @@ -1857,10 +1873,6 @@ "dest-uuid": "6c55cf9c-0259-4ba0-9574-e90f6c88e6fd", "type": "uses" }, - { - "dest-uuid": "b0d884c3-cf87-4610-992d-4ec54c667759", - "type": "uses" - }, { "dest-uuid": "fc34e661-55c3-47be-a368-c2f5776cdd17", "type": "uses" @@ -1949,6 +1961,14 @@ "dest-uuid": "49749e13-48ed-49fc-82d1-13ae13b457c1", "type": "uses" }, + { + "dest-uuid": "fbc49122-feae-52bf-9b96-93594cb5a01d", + "type": "uses" + }, + { + "dest-uuid": "b0d884c3-cf87-4610-992d-4ec54c667759", + "type": "uses" + }, { "dest-uuid": "2afcdcd1-ce55-4837-a84d-8279bc10f948", "type": "uses" @@ -2117,10 +2137,6 @@ "dest-uuid": "3a956db0-a3f0-442a-a981-db2ee20d60b2", "type": "uses" }, - { - "dest-uuid": "bd52a415-2b7a-4048-84bf-b20f385b357e", - "type": "uses" - }, { "dest-uuid": "1e3d9e0a-6744-44e4-836d-1db38a4cc99c", "type": "uses" @@ -2205,6 +2221,18 @@ "dest-uuid": "33486e3e-1104-42d0-8053-34c8c9c4d10f", "type": "uses" }, + { + "dest-uuid": "81070f84-0835-5fdf-bcbb-4e16252dc2f0", + "type": "uses" + }, + { + "dest-uuid": "67a83337-b17a-5413-a506-d84306cc0dfb", + "type": "uses" + }, + { + "dest-uuid": "bd52a415-2b7a-4048-84bf-b20f385b357e", + "type": "uses" + }, { "dest-uuid": "7851bfe7-f149-47f5-9970-66d7cc4fdbe6", "type": "uses" @@ -2301,6 +2329,18 @@ "dest-uuid": "110c385f-9f27-4fd6-837c-6261294073ab", "type": "uses" }, + { + "dest-uuid": "967b85c4-cfa7-520c-819b-4f7e36562589", + "type": "uses" + }, + { + "dest-uuid": "d9ee3cf6-5852-5896-851d-28f751f5bf3c", + "type": "uses" + }, + { + "dest-uuid": "3fee577e-dad0-53a5-9d58-6049cb5a70e5", + "type": "uses" + }, { "dest-uuid": "c41cb2d3-ff4c-5ee7-99b9-8a3d7987c9bf", "type": "uses" @@ -2321,30 +2361,6 @@ "dest-uuid": "d8406198-626c-5659-945e-2b5105fcd0c9", "type": "uses" }, - { - "dest-uuid": "ed511983-98ef-572f-b5fc-0687f48467e0", - "type": "uses" - }, - { - "dest-uuid": "9e55bc80-a187-58f7-a687-d37bbd618db7", - "type": "uses" - }, - { - "dest-uuid": "d9eb2887-840e-5ed7-bb4b-3b210f4147f9", - "type": "uses" - }, - { - "dest-uuid": "448dc009-2d3f-5480-aba3-0d80dc4336cd", - "type": "uses" - }, - { - "dest-uuid": "e2911337-76ed-5834-b621-bb2b9a4205ee", - "type": "uses" - }, - { - "dest-uuid": "20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1", - "type": "uses" - }, { "dest-uuid": "04e8e75c-434e-51e0-9780-580a3823a8cb", "type": "uses" @@ -2376,6 +2392,30 @@ { "dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0", "type": "uses" + }, + { + "dest-uuid": "ed511983-98ef-572f-b5fc-0687f48467e0", + "type": "uses" + }, + { + "dest-uuid": "9e55bc80-a187-58f7-a687-d37bbd618db7", + "type": "uses" + }, + { + "dest-uuid": "d9eb2887-840e-5ed7-bb4b-3b210f4147f9", + "type": "uses" + }, + { + "dest-uuid": "448dc009-2d3f-5480-aba3-0d80dc4336cd", + "type": "uses" + }, + { + "dest-uuid": "e2911337-76ed-5834-b621-bb2b9a4205ee", + "type": "uses" + }, + { + "dest-uuid": "20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1", + "type": "uses" } ], "uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726", @@ -2389,6 +2429,34 @@ "tactic_attack_id": "TA0006" }, "related": [ + { + "dest-uuid": "e63414a7-c6f7-4bcf-a6eb-25b0c4ddbb2a", + "type": "uses" + }, + { + "dest-uuid": "f516ecd7-a6a6-4018-8e58-c007be05bdce", + "type": "uses" + }, + { + "dest-uuid": "28fd13d1-b555-47fa-9d47-caf6b1367ace", + "type": "uses" + }, + { + "dest-uuid": "6f6b88df-039c-4b69-87e0-97dfabbb49d8", + "type": "uses" + }, + { + "dest-uuid": "195aa08b-15fd-4019-b905-8f31bc5e2094", + "type": "uses" + }, + { + "dest-uuid": "d049bae1-29f3-5f7d-ba6a-08b1227d5b72", + "type": "uses" + }, + { + "dest-uuid": "ca544853-bda2-554a-b7c4-c239760e56a2", + "type": "uses" + }, { "dest-uuid": "d98dbf30-c454-42ff-a9f3-2cd3319cc0d9", "type": "uses" @@ -2465,46 +2533,6 @@ "dest-uuid": "888e603b-ca97-4671-aa43-a25248fc9fc8", "type": "uses" }, - { - "dest-uuid": "0fef0394-7cf6-4797-8a5e-1cbfd31ee501", - "type": "uses" - }, - { - "dest-uuid": "a0bb264e-8617-4ae6-bafd-f52b36c63d12", - "type": "uses" - }, - { - "dest-uuid": "02ed857b-ba39-4fab-b1d9-3ed2aa689dfd", - "type": "uses" - }, - { - "dest-uuid": "b0a1ef13-0c54-47e8-a220-7543ba41a327", - "type": "uses" - }, - { - "dest-uuid": "b4a1cbaa-85d1-4a65-977f-494f66a141e3", - "type": "uses" - }, - { - "dest-uuid": "52dabfcc-b7a4-4334-9014-ab9d82f5527b", - "type": "uses" - }, - { - "dest-uuid": "e493bf4a-0eba-4e60-a7a6-c699084dc98a", - "type": "uses" - }, - { - "dest-uuid": "b44a263f-76b2-4a1f-baeb-dd285974eca6", - "type": "uses" - }, - { - "dest-uuid": "ab0da102-5a14-42b1-969e-5d3daefdf0c5", - "type": "uses" - }, - { - "dest-uuid": "e63414a7-c6f7-4bcf-a6eb-25b0c4ddbb2a", - "type": "uses" - }, { "dest-uuid": "34674b83-86a7-4ad9-8b05-49b505aa5ef0", "type": "uses" @@ -2618,19 +2646,39 @@ "type": "uses" }, { - "dest-uuid": "f516ecd7-a6a6-4018-8e58-c007be05bdce", + "dest-uuid": "0fef0394-7cf6-4797-8a5e-1cbfd31ee501", "type": "uses" }, { - "dest-uuid": "28fd13d1-b555-47fa-9d47-caf6b1367ace", + "dest-uuid": "a0bb264e-8617-4ae6-bafd-f52b36c63d12", "type": "uses" }, { - "dest-uuid": "6f6b88df-039c-4b69-87e0-97dfabbb49d8", + "dest-uuid": "02ed857b-ba39-4fab-b1d9-3ed2aa689dfd", "type": "uses" }, { - "dest-uuid": "195aa08b-15fd-4019-b905-8f31bc5e2094", + "dest-uuid": "b0a1ef13-0c54-47e8-a220-7543ba41a327", + "type": "uses" + }, + { + "dest-uuid": "b4a1cbaa-85d1-4a65-977f-494f66a141e3", + "type": "uses" + }, + { + "dest-uuid": "52dabfcc-b7a4-4334-9014-ab9d82f5527b", + "type": "uses" + }, + { + "dest-uuid": "e493bf4a-0eba-4e60-a7a6-c699084dc98a", + "type": "uses" + }, + { + "dest-uuid": "b44a263f-76b2-4a1f-baeb-dd285974eca6", + "type": "uses" + }, + { + "dest-uuid": "ab0da102-5a14-42b1-969e-5d3daefdf0c5", "type": "uses" }, { @@ -2642,11 +2690,11 @@ "type": "uses" }, { - "dest-uuid": "260571a6-3c08-5419-98c5-3fa1aa8e675d", + "dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778", "type": "uses" }, { - "dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778", + "dest-uuid": "260571a6-3c08-5419-98c5-3fa1aa8e675d", "type": "uses" } ], @@ -2669,10 +2717,6 @@ "dest-uuid": "41c4b4cc-99da-4323-b0f4-229906578501", "type": "uses" }, - { - "dest-uuid": "3f926f8f-7b47-4a7d-976a-269704a6bc5c", - "type": "uses" - }, { "dest-uuid": "f9d61206-3063-4d04-b06f-225f4766bff1", "type": "uses" @@ -2753,6 +2797,10 @@ "dest-uuid": "93bd112e-9494-4b60-bdc5-8b610c7ebe21", "type": "uses" }, + { + "dest-uuid": "3f926f8f-7b47-4a7d-976a-269704a6bc5c", + "type": "uses" + }, { "dest-uuid": "1492c4ba-c933-47b8-953d-6de3db8cfce8", "type": "uses" @@ -2833,10 +2881,6 @@ "dest-uuid": "2e634ff1-a4ea-41b4-8ee9-23db4627a986", "type": "uses" }, - { - "dest-uuid": "70ffc700-eb9b-54d7-8fd4-564bd71a6434", - "type": "uses" - }, { "dest-uuid": "4c7c0caa-b9bc-5d63-b5c3-812fdf3bba8a", "type": "uses" @@ -2844,6 +2888,10 @@ { "dest-uuid": "309c7c8b-c366-5762-8611-136971ac4eb4", "type": "uses" + }, + { + "dest-uuid": "70ffc700-eb9b-54d7-8fd4-564bd71a6434", + "type": "uses" } ], "uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa", @@ -2954,7 +3002,7 @@ "value": "Lateral Movement" }, { - "description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.", + "description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.", "meta": { "ordinal_position": "11", "source": "MITRE", @@ -3057,6 +3105,18 @@ "dest-uuid": "34674b83-86a7-4ad9-8b05-49b505aa5ef0", "type": "uses" }, + { + "dest-uuid": "ca544853-bda2-554a-b7c4-c239760e56a2", + "type": "uses" + }, + { + "dest-uuid": "4562d25c-b3a8-582a-9a04-ff5f510ded7f", + "type": "uses" + }, + { + "dest-uuid": "4d893ef6-a30e-5283-b47b-31d17ac427be", + "type": "uses" + }, { "dest-uuid": "0c81e13a-3608-4171-8075-9f70b2934028", "type": "uses" @@ -3121,6 +3181,10 @@ "tactic_attack_id": "TA0011" }, "related": [ + { + "dest-uuid": "1637efc5-85cc-515c-8244-fa973b0d69a6", + "type": "uses" + }, { "dest-uuid": "f0dd515b-51cf-4853-a20c-02226d099ee0", "type": "uses" @@ -3366,11 +3430,11 @@ "type": "uses" }, { - "dest-uuid": "8b6743e7-e856-5772-8b38-2c002602b365", + "dest-uuid": "4c34fe8b-ea13-55f9-9a2f-5948e2a2ecca", "type": "uses" }, { - "dest-uuid": "4c34fe8b-ea13-55f9-9a2f-5948e2a2ecca", + "dest-uuid": "8b6743e7-e856-5772-8b38-2c002602b365", "type": "uses" } ], @@ -3489,6 +3553,26 @@ "dest-uuid": "24787dca-6afd-4ab3-ab6c-32e9486ec418", "type": "uses" }, + { + "dest-uuid": "4a4a4fc9-88bc-500e-ae0e-db0d5f1f5503", + "type": "uses" + }, + { + "dest-uuid": "7683b3ab-64c0-539a-8c37-d5fa4cb6b2a8", + "type": "uses" + }, + { + "dest-uuid": "99360c91-8f86-544f-8689-494ad62c1890", + "type": "uses" + }, + { + "dest-uuid": "1471c62a-d480-5234-801d-ac228fd7a31c", + "type": "uses" + }, + { + "dest-uuid": "c7e3f0b5-f25e-5a99-9831-f8fd21ee3d22", + "type": "uses" + }, { "dest-uuid": "b9c9fd13-c10c-5e78-aeeb-ac18dc0605f9", "type": "uses" diff --git a/clusters/tidal-technique.json b/clusters/tidal-technique.json index b71a532..16db170 100644 --- a/clusters/tidal-technique.json +++ b/clusters/tidal-technique.json @@ -13,12 +13,17 @@ "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.[[TechNet How UAC Works](https://app.tidalcyber.com/references/bbf8d1a3-115e-4bc8-be43-47ce3b295d45)][[sudo man page 2018](https://app.tidalcyber.com/references/659d4302-d4cf-41af-8007-aa1da0208aa0)] An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.[[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)][[Fortinet Fareit](https://app.tidalcyber.com/references/d06223d7-2d86-41c6-af23-50865a1810c0)]", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Office 365", + "Office Suite", "Windows" ], "source": "MITRE" @@ -61,9 +66,15 @@ "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to set malicious changes into place.[[CarbonBlack LockerGoga 2019](https://app.tidalcyber.com/references/9970063c-6df7-4638-a247-6b1102289372)][[Unit42 LockerGoga 2019](https://app.tidalcyber.com/references/8f058923-f2f7-4c0e-b90a-c7a0d5e62186)]\n\nIn Windows, [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. \n\nAdversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Defacement](https://app.tidalcyber.com/technique/9a21c7c7-cf8e-4f05-b196-86ec39653e3b), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) objective. ", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", + "Google Workspace", + "IaaS", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -82,12 +93,17 @@ "description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists.[[AWS List Users](https://app.tidalcyber.com/references/517e3d27-36da-4810-b256-3f47147b36e3)][[Google Cloud - IAM Servie Accounts List API](https://app.tidalcyber.com/references/3ffad706-1dac-41dd-b197-06f22fec3b30)] On hosts, adversaries can use default [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -106,14 +122,19 @@ "description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.[[FireEye SMOKEDHAM June 2021](https://app.tidalcyber.com/references/a81ad3ef-fd96-432c-a7c8-ccc86d127a1b)] These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", "Containers", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Network", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -196,11 +217,11 @@ }, "related": [ { - "dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53", + "dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a", "type": "uses" }, { - "dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a", + "dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53", "type": "uses" } ], @@ -208,7 +229,7 @@ "value": "Adversary-in-the-Middle" }, { - "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)] ", + "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)] ", "meta": { "platforms": [ "Linux", @@ -288,9 +309,15 @@ "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.[[Mandiant UNC3944 SMS Phishing 2023](https://app.tidalcyber.com/references/3a310dbd-4b5c-5eaf-a4ce-699e52007c9b)] \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) and [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f) to identify and move files, as well as [Cloud Service Dashboard](https://app.tidalcyber.com/technique/315ce434-ad6d-4dae-a1dd-6db944a44422) and [Cloud Storage Object Discovery](https://app.tidalcyber.com/technique/92761d92-a288-4407-a112-bb2720f07d07) to identify resources in cloud environments.", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", + "Google Workspace", "IaaS", "Linux", "macOS", + "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -453,14 +480,19 @@ "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.[[TrendMicro Pawn Storm Dec 2020](https://app.tidalcyber.com/references/3bc249cd-f29a-4a74-a179-a6860e43683f)] Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)] Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), [Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3), or [Password Policy Discovery](https://app.tidalcyber.com/technique/2bf2e498-99c8-4e36-ad4b-e675d95ac925). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) as part of Initial Access.", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", "Containers", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Network", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -515,6 +547,9 @@ "description": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. [[AWS Systems Manager Run Command](https://app.tidalcyber.com/references/ef66f17b-6a5b-5eb8-83de-943e2bddd114)][[Microsoft Run Command](https://app.tidalcyber.com/references/4f2e6adb-6e3d-5f1f-b873-4b99797f2bfa)]\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) to execute commands in connected virtual machines.[[MSTIC Nobelium Oct 2021](https://app.tidalcyber.com/references/7b6cc308-9871-47e5-9039-a9a7e66ce373)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS" ], "source": "MITRE" @@ -532,6 +567,9 @@ "description": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.[[Amazon Describe Instance](https://app.tidalcyber.com/references/c0b6a8a4-0d94-414d-b5ab-cf5485240dee)][[Amazon Describe Instances API](https://app.tidalcyber.com/references/95629746-43d2-4f41-87da-4bd44a43ef4a)][[AWS Get Public Access Block](https://app.tidalcyber.com/references/f2887980-569a-4bc2-949e-bd8ff266c43c)][[AWS Head Bucket](https://app.tidalcyber.com/references/1388a78e-9f86-4927-a619-e0fcbac5b7a1)] Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project [[Google Compute Instances](https://app.tidalcyber.com/references/ae09e791-a00c-487b-b0e5-7768df0679a3)], and Azure's CLI command az vm list lists details of virtual machines.[[Microsoft AZ CLI](https://app.tidalcyber.com/references/cfd94553-272b-466b-becb-3859942bcaa5)] In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://app.tidalcyber.com/technique/a0e40412-cbfb-477b-87fc-40f2c84d26be).[[Malwarebytes OSINT Leaky Buckets - Hioureas](https://app.tidalcyber.com/references/67ebcf71-828e-4202-b842-f071140883f8)]\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.[[Expel IO Evil in AWS](https://app.tidalcyber.com/references/4c2424d6-670b-4db0-a752-868b4c954e29)] The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. [[AWS Describe DB Instances](https://app.tidalcyber.com/references/85bda17d-7b7c-4d0e-a0d2-2adb5f0a6b82)] Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://app.tidalcyber.com/technique/5d0a3722-52b6-4968-a367-7ca6bc9a33fc), this technique focuses on the discovery of components of the provided services rather than the services themselves.", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS" ], "source": "MITRE" @@ -549,10 +587,15 @@ "description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.[[Google Command Center Dashboard](https://app.tidalcyber.com/references/a470fe2a-40ce-4060-8dfc-2cdb56bbc18b)]\n\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Office 365", + "Office Suite", "SaaS" ], "source": "MITRE" @@ -567,13 +610,18 @@ "value": "Cloud Service Dashboard" }, { - "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[[Azure - Resource Manager API](https://app.tidalcyber.com/references/223cc020-e88a-4236-9c34-64fe606a1729)][[Azure AD Graph API](https://app.tidalcyber.com/references/fed0fef5-e366-4e24-9554-0599744cd1c6)]\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[[Azure - Stormspotter](https://app.tidalcyber.com/references/42383ed1-9705-4313-8068-28a22a23f50e)][[GitHub Pacu](https://app.tidalcyber.com/references/bda43b1b-ea8d-4371-9984-6d8a7cc24965)]\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6) or [Disable or Modify Cloud Logs](https://app.tidalcyber.com/technique/6824cdb3-a4c5-45a8-a3d5-5a5afd347214).", + "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[[Azure - Resource Manager API](https://app.tidalcyber.com/references/223cc020-e88a-4236-9c34-64fe606a1729)][[Azure AD Graph API](https://app.tidalcyber.com/references/fed0fef5-e366-4e24-9554-0599744cd1c6)]\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[[Azure - Stormspotter](https://app.tidalcyber.com/references/42383ed1-9705-4313-8068-28a22a23f50e)][[GitHub Pacu](https://app.tidalcyber.com/references/bda43b1b-ea8d-4371-9984-6d8a7cc24965)]\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6) or [Disable or Modify Cloud Logs](https://app.tidalcyber.com/technique/6824cdb3-a4c5-45a8-a3d5-5a5afd347214).", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Office 365", + "Office Suite", "SaaS" ], "source": "MITRE" @@ -591,6 +639,9 @@ "description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://app.tidalcyber.com/technique/fd346e4e-b22f-4cae-bc24-946d7b14b5e1)) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS [[ListObjectsV2](https://app.tidalcyber.com/references/727c2077-f922-4314-908a-356c42564181)] and List Blobs in Azure[[List Blobs](https://app.tidalcyber.com/references/f9aa697a-83dd-4bae-bc11-006be51ce477)] .", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS" ], "source": "MITRE" @@ -608,13 +659,18 @@ "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://app.tidalcyber.com/technique/3eafcd8b-0cb8-4d23-8785-3f80a3c897c7) while Windows installations include the [Windows Command Shell](https://app.tidalcyber.com/technique/be095bcc-4769-4010-b2db-3033d01efdbe) and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde).\n\nThere are also cross-platform interpreters such as [Python](https://app.tidalcyber.com/technique/68fed1c9-e060-4c4d-83d9-d8c817893d65), as well as those commonly associated with client applications such as [JavaScript](https://app.tidalcyber.com/technique/8a669da8-8894-4fb0-9124-c3c8418985cc) and [Visual Basic](https://app.tidalcyber.com/technique/0340ed34-6db2-4979-bf73-2c16855867b4).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://app.tidalcyber.com/tactics/586a5b49-c566-4a57-beb4-e7c667f9c34c) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) in order to achieve remote Execution.[[Powershell Remote Commands](https://app.tidalcyber.com/references/24c526e1-7199-45ca-99b4-75e75c7041cd)][[Cisco IOS Software Integrity Assurance - Command History](https://app.tidalcyber.com/references/dbca06dd-1184-4d52-9ee8-b059e368033c)][[Remote Shell Execution in Python](https://app.tidalcyber.com/references/4ea54256-42f9-4b35-8f9e-e595ab9be9ce)]", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Network", "Office 365", + "Office Suite", "Windows" ], "source": "MITRE" @@ -665,7 +721,7 @@ "value": "Compromise Accounts" }, { - "description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)[[Unit42 Banking Trojans Hooking 2022](https://app.tidalcyber.com/references/411c3df4-08e6-518a-953d-19988b663dc4)] prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.[[ESET FontOnLake Analysis 2021](https://app.tidalcyber.com/references/dbcced87-91ee-514f-98c8-29a85d967384)]", + "description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://app.tidalcyber.com/technique/f516ecd7-a6a6-4018-8e58-c007be05bdce)).[[Google Cloud Mandiant UNC3886 2024](https://app.tidalcyber.com/references/77b32efe-b936-5541-b0fb-aa442a7d11b7)]\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)[[Unit42 Banking Trojans Hooking 2022](https://app.tidalcyber.com/references/411c3df4-08e6-518a-953d-19988b663dc4)] prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.[[ESET FontOnLake Analysis 2021](https://app.tidalcyber.com/references/dbcced87-91ee-514f-98c8-29a85d967384)]\n\nAfter modifying a binary, an adversary may attempt to [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).[[Google Cloud Mandiant UNC3886 2024](https://app.tidalcyber.com/references/77b32efe-b936-5541-b0fb-aa442a7d11b7)]", "meta": { "platforms": [ "Linux", @@ -761,14 +817,19 @@ "description": "Adversaries may create an account to maintain access to victim systems.[[Symantec WastedLocker June 2020](https://app.tidalcyber.com/references/061d8f74-a202-4089-acae-687e4f96933b)] With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", "Containers", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Network", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -811,6 +872,9 @@ "description": "Adversaries may search for common password storage locations to obtain user credentials.[[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)] Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -828,10 +892,13 @@ "value": "Credentials from Password Stores" }, { - "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.[[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)][[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)][[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)][[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)][[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)] Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://app.tidalcyber.com/technique/761fa7fa-d7e1-4796-85b3-5cd37d55dffa) and [Disk Structure Wipe](https://app.tidalcyber.com/technique/14a944d3-ab95-40d8-b069-ccc4824ef46d) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)][[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)] In some cases politically oriented image files have been used to overwrite data.[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)][[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd).[[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)][[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)][[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)][[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)].\n\nIn cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.[[Data Destruction - Threat Post](https://app.tidalcyber.com/references/97d16d3a-98a0-4a7d-9f74-8877c8088ddf)][[DOJ - Cisco Insider](https://app.tidalcyber.com/references/b8d9006d-7466-49cf-a70e-384edee530ce)]", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.[[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)][[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)][[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)][[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)][[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)] Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://app.tidalcyber.com/technique/761fa7fa-d7e1-4796-85b3-5cd37d55dffa) and [Disk Structure Wipe](https://app.tidalcyber.com/technique/14a944d3-ab95-40d8-b069-ccc4824ef46d) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)][[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)] In some cases politically oriented image files have been used to overwrite data.[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)][[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd).[[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)][[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)][[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)][[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)].\n\nIn cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.[[Data Destruction - Threat Post](https://app.tidalcyber.com/references/97d16d3a-98a0-4a7d-9f74-8877c8088ddf)][[DOJ - Cisco Insider](https://app.tidalcyber.com/references/b8d9006d-7466-49cf-a70e-384edee530ce)]", "meta": { "platforms": [ + "AWS", + "Azure", "Containers", + "GCP", "IaaS", "Linux", "macOS", @@ -871,6 +938,9 @@ "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[[US-CERT Ransomware 2016](https://app.tidalcyber.com/references/866484fa-836d-4c5b-bbad-3594ef60599c)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)][[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)][[US-CERT SamSam 2018](https://app.tidalcyber.com/references/b9d14fea-2330-4eed-892c-b4e05a35d273)]\n\nIn the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://app.tidalcyber.com/technique/cb2e4822-2529-4216-b5b8-75158c5f85ff) or [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418), in order to unlock and/or gain access to manipulate these files.[[CarbonBlack Conti July 2020](https://app.tidalcyber.com/references/3c3a6dc0-66f2-492e-8c9c-c0bcca73008e)] In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.[[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)] \n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd).[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)][[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)] Encryption malware may also leverage [Internal Defacement](https://app.tidalcyber.com/technique/546a3318-0e03-4b22-95f5-c02ff69a4ebf), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as \"print bombing\").[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)]\n\nIn cloud environments, storage objects within compromised accounts may also be encrypted.[[Rhino S3 Ransomware Part 1](https://app.tidalcyber.com/references/bb28711f-186d-4101-b153-6340ce826343)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -891,9 +961,13 @@ "description": "Adversaries may access data from cloud storage.\n\nMany IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \n\nIn some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://app.tidalcyber.com/technique/08a73f37-a04e-46be-9409-b330cbe291b4)). \n\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.[[Amazon S3 Security, 2019](https://app.tidalcyber.com/references/4c434ca5-2544-45e0-82d9-71343d8aa960)][[Microsoft Azure Storage Security, 2019](https://app.tidalcyber.com/references/95bda448-bb13-4fa6-b663-e48a9d1b866f)][[Google Cloud Storage Best Practices, 2019](https://app.tidalcyber.com/references/752ad355-0f10-4c8d-bad8-42bf2fc75fa0)] There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\n\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.[[Trend Micro S3 Exposed PII, 2017](https://app.tidalcyber.com/references/1ba37b48-1219-4f87-af36-9bdd8d6265ca)][[Wired Magecart S3 Buckets, 2019](https://app.tidalcyber.com/references/47fb06ed-b4ce-454c-9bbe-21b28309f351)][[HIPAA Journal S3 Breach, 2017](https://app.tidalcyber.com/references/b0fbf593-4aeb-4167-814b-ed3d4479ded0)][[Rclone-mega-extortion_05_2021](https://app.tidalcyber.com/references/9b492a2f-1326-4733-9c0e-a9454bf7fabb)]\n\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "Google Workspace", "IaaS", "Office 365", + "Office Suite", "SaaS" ], "source": "MITRE" @@ -925,14 +999,18 @@ "value": "Data from Configuration Repository" }, { - "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://app.tidalcyber.com/technique/8ac6952d-5add-4cbc-ad39-44943ed3459b) and [Confluence](https://app.tidalcyber.com/technique/3cc64d61-7922-4e08-98ff-b76cb2173830), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.", + "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., [Transfer Data to Cloud Account](https://app.tidalcyber.com/technique/ab4f22d6-465f-4a16-8a40-693f2234c4ac)). \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials (i.e., [Unsecured Credentials](https://app.tidalcyber.com/technique/02ed857b-ba39-4fab-b1d9-3ed2aa689dfd)) \n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n* Contact or other sensitive information about business partners and customers, including personally identifiable information (PII) \n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:\n\n* Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases \n* Collaboration platforms such as SharePoint, Confluence, and code repositories\n* Messaging platforms such as Slack and Microsoft Teams \n\nIn some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.[[Mitiga](https://app.tidalcyber.com/references/8c1d75b3-2ea9-5390-aefb-88f50730b2a0)][[TrendMicro Exposed Redis 2020](https://app.tidalcyber.com/references/58e61406-a8ca-52a8-be48-ef6066619a8a)][[Cybernews Reuters Leak 2022](https://app.tidalcyber.com/references/ca5ee9aa-6c9a-57dc-9cb4-0d976de1b5e5)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "Google Workspace", "IaaS", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -1047,6 +1125,9 @@ "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://app.tidalcyber.com/technique/ebd3f870-c513-4fb0-b133-15ffc1f91db2). Interactive command shells may be used, and common functionality within [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) and bash may be used to copy data into a staging location.[[PWC Cloud Hopper April 2017](https://app.tidalcyber.com/references/fe741064-8cd7-428b-bdb9-9f2ab7e92489)]\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://app.tidalcyber.com/technique/2ba8a662-6930-4cbe-9e3d-4cbe2109fd88) and stage data in that instance.[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -1109,6 +1190,9 @@ "description": "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://app.tidalcyber.com/technique/9a21c7c7-cf8e-4f05-b196-86ec39653e3b) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://app.tidalcyber.com/technique/9a21c7c7-cf8e-4f05-b196-86ec39653e3b) in order to cause user discomfort, or to pressure compliance with accompanying messages. \n", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -1244,7 +1328,7 @@ "meta": { "platforms": [ "Azure AD", - "SaaS", + "Identity Provider", "Windows" ], "source": "MITRE" @@ -1283,9 +1367,10 @@ "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).\n\nMultiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://app.tidalcyber.com/technique/f2661f07-9027-4d19-9028-d07b7511f3d5)), including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting\n* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary\n* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://app.tidalcyber.com/technique/60ac24aa-ce63-5c1d-8126-db20a27d85be))\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.[[Shadowserver Strategic Web Compromise](https://app.tidalcyber.com/references/cf531866-ac3c-4078-b847-5b4af7eb161f)]\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.[[Volexity OceanLotus Nov 2017](https://app.tidalcyber.com/references/ed9f5545-377f-4a12-92e4-c0439cc5b037)]", "meta": { "platforms": [ + "Azure AD", + "Identity Provider", "Linux", "macOS", - "SaaS", "Windows" ], "source": "MITRE" @@ -1319,13 +1404,14 @@ "value": "Dynamic Resolution" }, { - "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. ", + "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.[[TrustedSec OOB Communications](https://app.tidalcyber.com/references/65b7db0a-1aeb-545b-af65-b40d043f3502)][[CISA AA20-352A 2021](https://app.tidalcyber.com/references/1e68b9ef-0aee-5d69-be72-3bc4d5cfa6b9)] Adversaries can collect or forward email from mail servers or clients. ", "meta": { "platforms": [ "Google Workspace", "Linux", "macOS", "Office 365", + "Office Suite", "Windows" ], "source": "MITRE" @@ -1363,14 +1449,13 @@ "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[[FireEye OpPoisonedHandover February 2016](https://app.tidalcyber.com/references/1d57b1c8-930b-4bcb-a51e-39020327cc5d)] and to support other malicious activities, including distraction[[FSISAC FraudNetDoS September 2012](https://app.tidalcyber.com/references/9c8772eb-6d1d-4742-a2db-a5e1006effaa)], hacktivism, and extortion.[[Symantec DDoS October 2014](https://app.tidalcyber.com/references/878e0382-4191-4bca-8adc-c379b0d57ba8)]\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.[[USNYAG IranianBotnet March 2016](https://app.tidalcyber.com/references/69ee73c1-359f-4584-a6e7-75119d24bbf5)]\n\nIn cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.[[ArsTechnica Great Firewall of China](https://app.tidalcyber.com/references/1a08d58f-bf91-4345-aa4e-2906d3ef365a)]\n\nFor attacks attempting to saturate the providing network, see [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311).\n", "meta": { "platforms": [ - "Azure AD", + "AWS", + "Azure", "Containers", - "Google Workspace", + "GCP", "IaaS", "Linux", "macOS", - "Office 365", - "SaaS", "Windows" ], "source": "MITRE" @@ -1424,10 +1509,15 @@ "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.[[Backdooring an AWS account](https://app.tidalcyber.com/references/2c867527-1584-44f7-b5e5-8ca54ea79619)][[Varonis Power Automate Data Exfiltration](https://app.tidalcyber.com/references/16436468-1daf-433d-bb3b-f842119594b4)][[Microsoft DART Case Report 001](https://app.tidalcyber.com/references/bd8c6a86-1a63-49cd-a97f-3d119e4223d4)]\n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.[[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)][[Malware Persistence on OS X](https://app.tidalcyber.com/references/d4e3b066-c439-4284-ba28-3b8bd8ec270e)][[amnesia malware](https://app.tidalcyber.com/references/489a6c57-f64c-423b-a7bd-169fa36c4cdf)]\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", + "Google Workspace", "IaaS", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -1447,7 +1537,7 @@ "value": "Event Triggered Execution" }, { - "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.[[FireEye Kevin Mandia Guardrails](https://app.tidalcyber.com/references/0c518eec-a94e-42a7-8eb7-527ae3e279b6)] Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.[[FireEye Outlook Dec 2019](https://app.tidalcyber.com/references/f23a773f-9c50-4193-877d-97f7c13f48f1)]\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8). While use of [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", + "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.[[FireEye Kevin Mandia Guardrails](https://app.tidalcyber.com/references/0c518eec-a94e-42a7-8eb7-527ae3e279b6)] Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.[[FireEye Outlook Dec 2019](https://app.tidalcyber.com/references/f23a773f-9c50-4193-877d-97f7c13f48f1)]\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8). While use of [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.\n\nAdversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.[[Trellix-Qakbot](https://app.tidalcyber.com/references/0ffc4317-c88a-5c9b-9c13-cb8b2a8b65e6)]", "meta": { "platforms": [ "Linux", @@ -1469,12 +1559,16 @@ "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88) can be done using various common operating system utilities such as [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc)/SMB or FTP.[[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)] On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.[[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]\n\nMany IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5).", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "Google Workspace", "IaaS", "Linux", "macOS", "Network", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -1554,6 +1648,7 @@ "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -1592,6 +1687,7 @@ "meta": { "platforms": [ "Azure AD", + "Identity Provider", "Linux", "macOS", "Windows" @@ -1611,6 +1707,9 @@ "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://app.tidalcyber.com/technique/9e945aa5-3883-4537-a767-f49bdcce26c7). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\n\nThere have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries [[Salesforce zero-day in facebook phishing attack](https://app.tidalcyber.com/references/cbd360bb-f4b6-5326-8861-b05f3a2a8737)], evade security logs [[Bypassing CloudTrail in AWS Service Catalog](https://app.tidalcyber.com/references/de50bd67-96bb-537c-b91d-e541a717b7a1)], or deploy hidden infrastructure.[[GhostToken GCP flaw](https://app.tidalcyber.com/references/3f87bd65-4194-5be6-93a1-acde6eaef547)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -1668,10 +1767,13 @@ "value": "Exploitation of Remote Services" }, { - "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)][[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)][[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)][[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)][[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)] Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391) or [Exploitation for Client Execution](https://app.tidalcyber.com/technique/068df3d7-f788-44e4-9e6b-2ae443af1609).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.[[Mandiant Fortinet Zero Day](https://app.tidalcyber.com/references/7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7)][[Wired Russia Cyberwar](https://app.tidalcyber.com/references/28c53a97-5500-5bfb-8aac-3c0bf94c2dfe)]\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.[[OWASP Top 10](https://app.tidalcyber.com/references/c6db3a77-4d01-4b4d-886d-746d676ed6d0)][[CWE top 25](https://app.tidalcyber.com/references/d8ee8b1f-c18d-48f3-9758-6860cd31c3e3)]", + "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)][[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)][[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)][[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)][[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)] Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391) or [Exploitation for Client Execution](https://app.tidalcyber.com/technique/068df3d7-f788-44e4-9e6b-2ae443af1609).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://app.tidalcyber.com/technique/a5a95893-d837-424a-979f-095a47dd9f34)), exploit container host access via [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.[[Mandiant Fortinet Zero Day](https://app.tidalcyber.com/references/7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7)][[Wired Russia Cyberwar](https://app.tidalcyber.com/references/28c53a97-5500-5bfb-8aac-3c0bf94c2dfe)]\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.[[OWASP Top 10](https://app.tidalcyber.com/references/c6db3a77-4d01-4b4d-886d-746d676ed6d0)][[CWE top 25](https://app.tidalcyber.com/references/d8ee8b1f-c18d-48f3-9758-6860cd31c3e3)]", "meta": { "platforms": [ + "AWS", + "Azure", "Containers", + "GCP", "IaaS", "Linux", "macOS", @@ -1779,6 +1881,7 @@ "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -1834,12 +1937,17 @@ "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e), [Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nThe generation of web credentials often requires secret values, such as passwords, [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a), or other cryptographic seed values.[[GitHub AWS-ADFS-Credential-Generator](https://app.tidalcyber.com/references/340a3a20-0ee1-4fd8-87ab-10ac0d2a50c8)] Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://app.tidalcyber.com/technique/448dc009-2d3f-5480-aba3-0d80dc4336cd)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.[[AWS Temporary Security Credentials](https://app.tidalcyber.com/references/c6f29134-5af2-42e1-af4f-fbb9eae03432)][[Zimbra Preauth](https://app.tidalcyber.com/references/f8931e8d-9a03-5407-857a-2a1c5a895eed)]\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://app.tidalcyber.com/technique/28f65214-95c1-4a72-b385-0b32cbcaea8f)), which may bypass multi-factor and other authentication protection mechanisms.[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)][[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)][[Microsoft SolarWinds Customer Guidance](https://app.tidalcyber.com/references/b486ae40-a854-4998-bf1b-aaf6ea2047ed)] ", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -1855,7 +1963,7 @@ "value": "Forge Web Credentials" }, { - "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)] Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f) or [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).", + "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)] Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f) or [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).\n\nAdversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.[[TrellixQakbot](https://app.tidalcyber.com/references/c07a87bd-be9d-5bd9-b59a-d89f0e835886)]", "meta": { "platforms": [ "PRE" @@ -1962,9 +2070,11 @@ "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.[[Sofacy Komplex Trojan](https://app.tidalcyber.com/references/a21be45e-26c3-446d-b336-b58d08df5749)][[Cybereason OSX Pirrit](https://app.tidalcyber.com/references/ebdf09ed-6eec-450f-aaea-067504ec25ca)][[MalwareBytes ADS July 2015](https://app.tidalcyber.com/references/b552cf89-1880-48de-9088-c755c38821c1)]\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.[[Sophos Ragnar May 2020](https://app.tidalcyber.com/references/04ed6dc0-45c2-4e36-8ec7-a75f6f715f0a)]", "meta": { "platforms": [ + "Google Workspace", "Linux", "macOS", "Office 365", + "Office Suite", "Windows" ], "source": "MITRE" @@ -2026,15 +2136,22 @@ "value": "Hijack Execution Flow" }, { - "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.[[Emotet shutdown](https://app.tidalcyber.com/references/02e6c7bf-f81c-53a3-b771-fd77d4cdb5a0)]\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.", + "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.[[Google Cloud Mandiant UNC3886 2024](https://app.tidalcyber.com/references/77b32efe-b936-5541-b0fb-aa442a7d11b7)][[Emotet shutdown](https://app.tidalcyber.com/references/02e6c7bf-f81c-53a3-b771-fd77d4cdb5a0)]\n\n", "meta": { "platforms": [ + "AWS", + "Azure", + "Azure AD", "Containers", + "GCP", + "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Network", "Office 365", + "Office Suite", "Windows" ], "source": "MITRE" @@ -2056,6 +2173,7 @@ "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -2074,7 +2192,10 @@ "description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://app.tidalcyber.com/technique/8ecf5275-c6d1-4fe3-a24a-63fa1f3144fe), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.[[Rhino Labs Cloud Image Backdoor Technique Sept 2019](https://app.tidalcyber.com/references/8fb46ed8-0c21-4b57-b2a6-89cb28f0abaf)]\n\nA tool has been developed to facilitate planting backdoors in cloud container images.[[Rhino Labs Cloud Backdoor September 2019](https://app.tidalcyber.com/references/ac31b781-dbe4-49c2-b7af-dfb23d435ce8)] If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://app.tidalcyber.com/technique/05a5318f-476d-44c1-8a85-9466295d31dd).[[Rhino Labs Cloud Image Backdoor Technique Sept 2019](https://app.tidalcyber.com/references/8fb46ed8-0c21-4b57-b2a6-89cb28f0abaf)]", "meta": { "platforms": [ + "AWS", + "Azure", "Containers", + "GCP", "IaaS" ], "source": "MITRE" @@ -2098,6 +2219,7 @@ "macOS", "Network", "Office 365", + "Office Suite", "Windows" ], "source": "MITRE" @@ -2112,7 +2234,7 @@ "value": "Indicator Removal" }, { - "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8). For example, [Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), Run window, or via scripts. [[VectorSec ForFiles Aug 2017](https://app.tidalcyber.com/references/8088d15d-9512-4d12-a99a-c76ad9dc3390)] [[Evi1cg Forfiles Nov 2017](https://app.tidalcyber.com/references/b292b85e-68eb-43c3-9b5b-222810e2f26a)]\n\nAdversaries may abuse these features for [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or file extensions more commonly associated with malicious payloads.", + "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8). For example, [Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), Run window, or via scripts.[[VectorSec ForFiles Aug 2017](https://app.tidalcyber.com/references/8088d15d-9512-4d12-a99a-c76ad9dc3390)][[Evi1cg Forfiles Nov 2017](https://app.tidalcyber.com/references/b292b85e-68eb-43c3-9b5b-222810e2f26a)][[Secure Team - Scriptrunner.exe](https://app.tidalcyber.com/references/930ca682-03e0-57e7-a1ec-5a3186f0ff64)][[SS64](https://app.tidalcyber.com/references/e96e1486-ae8a-5fb3-bb8b-a9f0bf22b488)][[Bleeping Computer - Scriptrunner.exe](https://app.tidalcyber.com/references/f7ab464d-255b-5d92-a878-c16c905c057b)]\n\nAdversaries may abuse these features for [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or file extensions more commonly associated with malicious payloads.", "meta": { "platforms": [ "Windows" @@ -2149,10 +2271,13 @@ "value": "Ingress Tool Transfer" }, { - "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)] This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3).[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)] Furthermore, adversaries may disable recovery notifications, then corrupt backups.[[disable_notif_synology_ransom](https://app.tidalcyber.com/references/d53e8f89-df78-565b-a316-cf2644c5ed36)]\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all [[Diskshadow](https://app.tidalcyber.com/references/9e8b57a5-7e31-5add-ac3e-8b9c0f7f27aa)] [[Crytox Ransomware](https://app.tidalcyber.com/references/7c22d9d0-a2d8-5936-a6b1-5c696a2a19c6)]\n\nOn network devices, adversaries may leverage [Disk Wipe](https://app.tidalcyber.com/technique/ea2b3980-05fd-41a3-8ab9-3106e833c821) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.[[ZDNet Ransomware Backups 2020](https://app.tidalcyber.com/references/301da9c8-60de-58f0-989f-6b504e3457a3)] In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.[[Dark Reading Code Spaces Cyber Attack](https://app.tidalcyber.com/references/e5a3028a-f4cc-537c-9ddd-769792ab33be)][[Rhino Security Labs AWS S3 Ransomware](https://app.tidalcyber.com/references/785c6b11-c5f0-5cb4-931b-cf75fcc368a1)]", + "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)] This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3).[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)] Furthermore, adversaries may disable recovery notifications, then corrupt backups.[[disable_notif_synology_ransom](https://app.tidalcyber.com/references/d53e8f89-df78-565b-a316-cf2644c5ed36)]\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all [[Diskshadow](https://app.tidalcyber.com/references/9e8b57a5-7e31-5add-ac3e-8b9c0f7f27aa)] [[Crytox Ransomware](https://app.tidalcyber.com/references/7c22d9d0-a2d8-5936-a6b1-5c696a2a19c6)]\n\nOn network devices, adversaries may leverage [Disk Wipe](https://app.tidalcyber.com/technique/ea2b3980-05fd-41a3-8ab9-3106e833c821) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.[[ZDNet Ransomware Backups 2020](https://app.tidalcyber.com/references/301da9c8-60de-58f0-989f-6b504e3457a3)] In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.[[Dark Reading Code Spaces Cyber Attack](https://app.tidalcyber.com/references/e5a3028a-f4cc-537c-9ddd-769792ab33be)][[Rhino Security Labs AWS S3 Ransomware](https://app.tidalcyber.com/references/785c6b11-c5f0-5cb4-931b-cf75fcc368a1)]", "meta": { "platforms": [ + "AWS", + "Azure", "Containers", + "GCP", "IaaS", "Linux", "macOS", @@ -2202,6 +2327,7 @@ "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -2255,9 +2381,12 @@ "value": "Lateral Tool Transfer" }, { - "description": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3)), security or vulnerable software ([Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602)), or hosts within a compromised network ([Remote System Discovery](https://app.tidalcyber.com/technique/00a9a4d4-928d-4d95-be31-dfac6103991f)).\n\nHost binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) on Windows to access and/or export security event information.[[WithSecure Lazarus-NoPineapple Threat Intel Report 2023](https://app.tidalcyber.com/references/195922fa-a843-5cd3-a153-32f0b960dcb9)][[Cadet Blizzard emerges as novel threat actor](https://app.tidalcyber.com/references/7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b)] In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.[[SIM Swapping and Abuse of the Microsoft Azure Serial Console](https://app.tidalcyber.com/references/c596a0e0-6e9c-52e4-b1bb-9c0542f960f2)]\n\nAdversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.", + "description": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3)), security or vulnerable software ([Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602)), or hosts within a compromised network ([Remote System Discovery](https://app.tidalcyber.com/technique/00a9a4d4-928d-4d95-be31-dfac6103991f)).\n\nHost binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) on Windows to access and/or export security event information.[[WithSecure Lazarus-NoPineapple Threat Intel Report 2023](https://app.tidalcyber.com/references/195922fa-a843-5cd3-a153-32f0b960dcb9)][[Cadet Blizzard emerges as novel threat actor](https://app.tidalcyber.com/references/7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b)] In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.[[SIM Swapping and Abuse of the Microsoft Azure Serial Console](https://app.tidalcyber.com/references/c596a0e0-6e9c-52e4-b1bb-9c0542f960f2)]\n\nAdversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.\n\nIn addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.[[Permiso GUI-Vil 2023](https://app.tidalcyber.com/references/f3f16141-3420-5e72-b7d0-092bbd02f064)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -2298,13 +2427,18 @@ "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Network", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -2331,6 +2465,9 @@ "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS" ], "source": "MITRE" @@ -2344,6 +2481,26 @@ "uuid": "46c78b63-d079-441e-abdd-c16b39d4bab3", "value": "Modify Cloud Compute Infrastructure" }, + { + "description": "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \n\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.[[AWS Organizations](https://app.tidalcyber.com/references/06d4ce21-ef87-5977-80df-10bd36ae722e)][[Microsoft Azure Resources](https://app.tidalcyber.com/references/3d2f4092-5173-5f40-8b5f-c1cb886a2e6e)]\n\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.[[Microsoft Peach Sandstorm 2023](https://app.tidalcyber.com/references/84d026ed-b8f2-5bbb-865a-2d93aa4b2ef8)][[Microsoft Subscription Hijacking 2022](https://app.tidalcyber.com/references/e5944e4c-76c6-55d1-97ec-8367b7f98c28)]\n\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.[[AWS RE:Inforce Threat Detection 2024](https://app.tidalcyber.com/references/f2689dfc-83ff-53c6-b074-ce507824799a)]", + "meta": { + "platforms": [ + "AWS", + "Azure", + "GCP", + "IaaS" + ], + "source": "MITRE" + }, + "related": [ + { + "dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726", + "type": "uses" + } + ], + "uuid": "fbc49122-feae-52bf-9b96-93594cb5a01d", + "value": "Modify Cloud Resource Hierarchy" + }, { "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) may be used for local or remote Registry modification. [[Microsoft Reg](https://app.tidalcyber.com/references/1e1b21bd-18b3-4c77-8eb8-911b028ab603)] Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) or other utilities using the Win32 API. [[Microsoft Reghide NOV 2006](https://app.tidalcyber.com/references/42503ec7-f5da-4116-a3b3-a1b18a66eed3)] Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. [[TrendMicro POWELIKS AUG 2014](https://app.tidalcyber.com/references/4a42df15-4d09-4f4f-8333-2b41356fdb80)] [[SpectorOps Hiding Reg Jul 2017](https://app.tidalcyber.com/references/877a5ae4-ec5f-4f53-b69d-ba74ff9e1619)]\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. [[Microsoft Remote](https://app.tidalcyber.com/references/331d59e3-ce7f-483c-b77d-001c8a9ae1df)] Often [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) for RPC communication.", "meta": { @@ -2401,12 +2558,17 @@ "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).[[Obsidian SSPR Abuse 2023](https://app.tidalcyber.com/references/7f28f770-ef06-5923-b759-b731ceabe08a)]\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”[[Russian 2FA Push Annoyance - Cimpanu](https://app.tidalcyber.com/references/ad2b0648-b657-4daa-9510-82375a252fc4)][[MFA Fatigue Attacks - PortSwigger](https://app.tidalcyber.com/references/1b7b0f00-71ba-4762-ae81-bce24591cff4)][[Suspected Russian Activity Targeting Government and Business Entities Around the Globe](https://app.tidalcyber.com/references/f45a0551-8d49-4d40-989f-659416dc25ec)]", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -2480,14 +2642,13 @@ "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[[FireEye OpPoisonedHandover February 2016](https://app.tidalcyber.com/references/1d57b1c8-930b-4bcb-a51e-39020327cc5d)] and to support other malicious activities, including distraction[[FSISAC FraudNetDoS September 2012](https://app.tidalcyber.com/references/9c8772eb-6d1d-4742-a2db-a5e1006effaa)], hacktivism, and extortion.[[Symantec DDoS October 2014](https://app.tidalcyber.com/references/878e0382-4191-4bca-8adc-c379b0d57ba8)]\n\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nFor DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://app.tidalcyber.com/technique/8b0caea0-602e-4117-8322-b125150f5c2a).", "meta": { "platforms": [ - "Azure AD", + "AWS", + "Azure", "Containers", - "Google Workspace", + "GCP", "IaaS", "Linux", "macOS", - "Office 365", - "SaaS", "Windows" ], "source": "MITRE" @@ -2505,7 +2666,10 @@ "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.[[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)] \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.[[apple doco bonjour description](https://app.tidalcyber.com/references/b8538d67-ab91-41c2-9cc3-a7b00c6b372a)][[macOS APT Activity Bradley](https://app.tidalcyber.com/references/7ccda957-b38d-4c3f-a8f5-6cecdcb3f584)]", "meta": { "platforms": [ + "AWS", + "Azure", "Containers", + "GCP", "IaaS", "Linux", "macOS", @@ -2546,6 +2710,9 @@ "description": "Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://app.tidalcyber.com/technique/b44a263f-76b2-4a1f-baeb-dd285974eca6), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and/or [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9) (AiTM) to passively gain additional knowledge about the environment.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.[[AWS Traffic Mirroring](https://app.tidalcyber.com/references/6b77a2f3-39b8-4574-8dee-cde7ba9debff)][[GCP Packet Mirroring](https://app.tidalcyber.com/references/c91c6399-3520-4410-936d-48c3b13235ca)][[Azure Virtual Network TAP](https://app.tidalcyber.com/references/3f106d7e-f101-4adb-bbd1-d8c04a347f85)] Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)][[SpecterOps AWS Traffic Mirroring](https://app.tidalcyber.com/references/6ab2cfa1-230f-498e-8049-fcdd2f7296dd)] The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `monitor capture`.[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)][[capture_embedded_packet_on_software](https://app.tidalcyber.com/references/5d973180-a28a-5c8f-b13a-45d21331700f)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -2556,11 +2723,11 @@ }, "related": [ { - "dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53", + "dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa", "type": "uses" }, { - "dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa", + "dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53", "type": "uses" } ], @@ -2647,7 +2814,9 @@ "description": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.[[SensePost Ruler GitHub](https://app.tidalcyber.com/references/aa0a1508-a872-4e69-bf20-d3c8202f18c1)] These persistence mechanisms can work within Outlook or be used through Office 365.[[TechNet O365 Outlook Rules](https://app.tidalcyber.com/references/c7f9bd2f-254a-4254-8a92-a3ab02455fcb)]", "meta": { "platforms": [ + "Google Workspace", "Office 365", + "Office Suite", "Windows" ], "source": "MITRE" @@ -2684,10 +2853,19 @@ "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies [[Superuser Linux Password Policies](https://app.tidalcyber.com/references/c0bbc881-594a-408c-86a2-211ce6279231)] [[Jamf User Password Policies](https://app.tidalcyber.com/references/aa3846fd-a307-4be5-a487-9aa2688d5816)]. Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]\n\nPassword policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS [[AWS GetPasswordPolicy](https://app.tidalcyber.com/references/dd44d565-b9d9-437e-a31a-a52c6a21e3b3)].", "meta": { "platforms": [ + "AWS", + "Azure", + "Azure AD", + "GCP", + "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Network", + "Office 365", + "Office Suite", + "SaaS", "Windows" ], "source": "MITRE" @@ -2724,13 +2902,18 @@ "description": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.\n\nAdversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.[[CrowdStrike BloodHound April 2018](https://app.tidalcyber.com/references/fa99f290-e42c-4311-9f6d-c519c9ab89fe)]", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", "Containers", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -2746,13 +2929,16 @@ "value": "Permission Groups Discovery" }, { - "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://app.tidalcyber.com/technique/01505d46-8675-408d-881e-68f4d8743d47)).[[Microsoft OAuth Spam 2022](https://app.tidalcyber.com/references/086c06a0-3960-5fa8-b034-cef37a3aee90)][[Palo Alto Unit 42 VBA Infostealer 2014](https://app.tidalcyber.com/references/c3eccab6-b12b-513a-9a04-396f7b3dcf63)] Another way to accomplish this is by forging or spoofing[[Proofpoint-spoof](https://app.tidalcyber.com/references/fe9f7542-bbf0-5e34-b3a9-8596cc5aa754)] the identity of the sender which can be used to fool both the human recipient as well as automated security tools.[[cyberproof-double-bounce](https://app.tidalcyber.com/references/4406d688-c392-5244-b438-6995f38dfc61)] \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,[[sygnia Luna Month](https://app.tidalcyber.com/references/3e1c2a64-8446-538d-a148-2de87991955a)][[CISA Remote Monitoring and Management Software](https://app.tidalcyber.com/references/1ee55a8c-9e9d-520a-a3d3-1d2da57e0265)] or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872)).[[Unit42 Luna Moth](https://app.tidalcyber.com/references/ec52bcc9-6a56-5b94-8534-23c8e7ce740f)]", + "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://app.tidalcyber.com/technique/01505d46-8675-408d-881e-68f4d8743d47)).[[Microsoft OAuth Spam 2022](https://app.tidalcyber.com/references/086c06a0-3960-5fa8-b034-cef37a3aee90)][[Palo Alto Unit 42 VBA Infostealer 2014](https://app.tidalcyber.com/references/c3eccab6-b12b-513a-9a04-396f7b3dcf63)] Another way to accomplish this is by forging or spoofing[[Proofpoint-spoof](https://app.tidalcyber.com/references/fe9f7542-bbf0-5e34-b3a9-8596cc5aa754)] the identity of the sender which can be used to fool both the human recipient as well as automated security tools,[[cyberproof-double-bounce](https://app.tidalcyber.com/references/4406d688-c392-5244-b438-6995f38dfc61)] or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., \"thread hijacking\").[[phishing-krebs](https://app.tidalcyber.com/references/1f591eeb-04c0-5125-b378-e3716a839d17)]\n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,[[sygnia Luna Month](https://app.tidalcyber.com/references/3e1c2a64-8446-538d-a148-2de87991955a)][[CISA Remote Monitoring and Management Software](https://app.tidalcyber.com/references/1ee55a8c-9e9d-520a-a3d3-1d2da57e0265)] or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872)).[[Unit42 Luna Moth](https://app.tidalcyber.com/references/ec52bcc9-6a56-5b94-8534-23c8e7ce740f)]", "meta": { "platforms": [ + "Azure AD", "Google Workspace", + "Identity Provider", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -2889,7 +3075,7 @@ "value": "Process Injection" }, { - "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.[[SSH Tunneling](https://app.tidalcyber.com/references/13280f38-0f17-42d3-9f92-693f1da60ffa)] \n\n[Protocol Tunneling](https://app.tidalcyber.com/technique/bd677092-d197-4230-b94a-438cb24260fd) may also be abused by adversaries during [Dynamic Resolution](https://app.tidalcyber.com/technique/987ad3da-9423-4fe0-a52b-b931c0b8b95f). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.[[BleepingComp Godlua JUL19](https://app.tidalcyber.com/references/fd862d10-79bc-489d-a552-118014d01648)] \n\nAdversaries may also leverage [Protocol Tunneling](https://app.tidalcyber.com/technique/bd677092-d197-4230-b94a-438cb24260fd) in conjunction with [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or [Protocol Impersonation](https://app.tidalcyber.com/technique/eb15320a-cd24-45b2-b23f-05ef8daf1039) to further conceal C2 communications and infrastructure. ", + "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.[[SSH Tunneling](https://app.tidalcyber.com/references/13280f38-0f17-42d3-9f92-693f1da60ffa)] \n\n[Protocol Tunneling](https://app.tidalcyber.com/technique/bd677092-d197-4230-b94a-438cb24260fd) may also be abused by adversaries during [Dynamic Resolution](https://app.tidalcyber.com/technique/987ad3da-9423-4fe0-a52b-b931c0b8b95f). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.[[BleepingComp Godlua JUL19](https://app.tidalcyber.com/references/fd862d10-79bc-489d-a552-118014d01648)] \n\nAdversaries may also leverage [Protocol Tunneling](https://app.tidalcyber.com/technique/bd677092-d197-4230-b94a-438cb24260fd) in conjunction with [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or [Protocol or Service Impersonation](https://app.tidalcyber.com/technique/eb15320a-cd24-45b2-b23f-05ef8daf1039) to further conceal C2 communications and infrastructure. ", "meta": { "platforms": [ "Linux", @@ -2986,6 +3172,9 @@ "description": "Adversaries may use [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).[[SSH Secure Shell](https://app.tidalcyber.com/references/ac5fc103-1946-488b-8af5-eda0636cbdd0)][[TechNet Remote Desktop Services](https://app.tidalcyber.com/references/b8fc1bdf-f602-4a9b-a51c-fa49e70f24cd)] They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. \n\nLegitimate applications (such as [Software Deployment Tools](https://app.tidalcyber.com/technique/1bcf9fb5-6848-44d9-b394-ffbd3c357058) and other administrative programs) may utilize [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://app.tidalcyber.com/technique/af7afc1e-3374-4d1c-917b-c47c305274f5) to send the screen and control buffers and [SSH](https://app.tidalcyber.com/technique/7620ba3a-7877-4f87-90e3-588163ac0474) for secure file transfer.[[Remote Management MDM macOS](https://app.tidalcyber.com/references/e5f59848-7014-487d-9bae-bed81af1b72b)][[Kickstart Apple Remote Desktop commands](https://app.tidalcyber.com/references/f26542dd-aa61-4d2a-a05a-8f9674b49f82)][[Apple Remote Desktop Admin Guide 3.3](https://app.tidalcyber.com/references/c57c2bba-a398-4e68-b2a7-fddcf0740b61)] Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.[[FireEye 2019 Apple Remote Desktop](https://app.tidalcyber.com/references/bbc72952-988e-4c3c-ab5e-75b64e9e33f5)][[Lockboxx ARD 2019](https://app.tidalcyber.com/references/159f8495-5354-4b93-84cb-a25e56fcff3e)][[Kickstart Apple Remote Desktop commands](https://app.tidalcyber.com/references/f26542dd-aa61-4d2a-a05a-8f9674b49f82)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -3063,13 +3252,17 @@ "value": "Replication Through Removable Media" }, { - "description": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)] Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.[[CloudSploit - Unused AWS Regions](https://app.tidalcyber.com/references/7c237b73-233f-4fe3-b4a6-ce523fd82853)] Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)][[Trend Micro Exposed Docker APIs](https://app.tidalcyber.com/references/24ae5092-42ea-4c83-bdf7-c0e5026d9559)]\n\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.[[Trend Micro War of Crypto Miners](https://app.tidalcyber.com/references/1ba47efe-35f8-4d52-95c7-65cdc829c8e5)]\n\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311) campaigns and/or to seed malicious torrents.[[GoBotKR](https://app.tidalcyber.com/references/7d70675c-5520-4c81-8880-912ce918c4b5)] Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.[[Sysdig Proxyjacking](https://app.tidalcyber.com/references/26562be2-cab6-5867-9a43-d8a59c663596)]", + "description": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \n\nResource hijacking may take a number of different forms. For example, adversaries may:\n\n* Leverage compute resources in order to mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate SMS traffic for profit\n* Abuse cloud-based messaging services to send large quantities of spam messages\n\nIn some cases, adversaries may leverage multiple types of Resource Hijacking at once.[[Sysdig Cryptojacking Proxyjacking 2023](https://app.tidalcyber.com/references/aa0820ed-62ae-578a-adbe-e6597551f069)]", "meta": { "platforms": [ + "AWS", + "Azure", "Containers", + "GCP", "IaaS", "Linux", "macOS", + "SaaS", "Windows" ], "source": "MITRE" @@ -3186,7 +3379,7 @@ "value": "Screen Capture" }, { - "description": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.[[D3Secutrity CTI Feeds](https://app.tidalcyber.com/references/088f2cbd-cce1-477f-9ffb-319477d74b69)] Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.[[ZDNET Selling Data](https://app.tidalcyber.com/references/61d00ae2-5494-4c6c-8860-6826e701ade8)]\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).", + "description": "Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.[[ZDNET Selling Data](https://app.tidalcyber.com/references/61d00ae2-5494-4c6c-8860-6826e701ade8)]\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).", "meta": { "platforms": [ "PRE" @@ -3237,7 +3430,7 @@ "value": "Search Open Websites/Domains" }, { - "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://app.tidalcyber.com/technique/2eee984c-ea00-4284-b3eb-fd0c603a5a80)). These sites may also have details highlighting business operations and relationships.[[Comparitech Leak](https://app.tidalcyber.com/references/fa0eac56-45ea-4628-88cf-b843874b4a4d)]\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).", + "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://app.tidalcyber.com/technique/2eee984c-ea00-4284-b3eb-fd0c603a5a80)). These sites may also have details highlighting business operations and relationships.[[Comparitech Leak](https://app.tidalcyber.com/references/fa0eac56-45ea-4628-88cf-b843874b4a4d)]\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).\n\nIn addition to manually browsing the website, adversaries may attempt to identify hidden directories or files that could contain additional sensitive information or vulnerable functionality. They may do this through automated activities such as [Wordlist Scanning](https://app.tidalcyber.com/technique/a0e40412-cbfb-477b-87fc-40f2c84d26be), as well as by leveraging files such as sitemap.xml and robots.txt.[[Perez Sitemap XML 2023](https://app.tidalcyber.com/references/b52dcca4-19cb-5b95-9c5e-8b5c81fd986f)][[Register Robots TXT 2015](https://app.tidalcyber.com/references/0027a941-bc2d-54e3-9adf-85333d68b244)] ", "meta": { "platforms": [ "PRE" @@ -3254,11 +3447,16 @@ "value": "Search Victim-Owned Websites" }, { - "description": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. \n\nAdversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking](https://app.tidalcyber.com/technique/d10c4a15-aeaa-4630-a7a3-3373c89a584f)).[[Cado Security Denonia](https://app.tidalcyber.com/references/584e7ace-ef33-423b-9801-4728a447cb34)] Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission in Google Cloud to add [Additional Cloud Roles](https://app.tidalcyber.com/technique/71867386-ddc2-4cdb-a0c9-7c27172c23c1) to a serverless cloud function, which may then be able to perform actions the original user cannot.[[Rhino Security Labs AWS Privilege Escalation](https://app.tidalcyber.com/references/693e5783-4aa1-40ce-8080-cec01c3e7b59)][[Rhingo Security Labs GCP Privilege Escalation](https://app.tidalcyber.com/references/55373476-1cbe-49f5-aecb-69d60b336d38)]\n\nServerless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://app.tidalcyber.com/technique/e1e42979-d3cd-461b-afc4-a6373cbf97ba)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://app.tidalcyber.com/technique/0799f2ee-3a83-452e-9fa9-83e91d83be25) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.[[Backdooring an AWS account](https://app.tidalcyber.com/references/2c867527-1584-44f7-b5e5-8ca54ea79619)] Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.[[Varonis Power Automate Data Exfiltration](https://app.tidalcyber.com/references/16436468-1daf-433d-bb3b-f842119594b4)][[Microsoft DART Case Report 001](https://app.tidalcyber.com/references/bd8c6a86-1a63-49cd-a97f-3d119e4223d4)]", + "description": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. \n\nAdversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking](https://app.tidalcyber.com/technique/d10c4a15-aeaa-4630-a7a3-3373c89a584f)).[[Cado Security Denonia](https://app.tidalcyber.com/references/584e7ace-ef33-423b-9801-4728a447cb34)] Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission in Google Cloud to add [Additional Cloud Roles](https://app.tidalcyber.com/technique/71867386-ddc2-4cdb-a0c9-7c27172c23c1) to a serverless cloud function, which may then be able to perform actions the original user cannot.[[Rhino Security Labs AWS Privilege Escalation](https://app.tidalcyber.com/references/693e5783-4aa1-40ce-8080-cec01c3e7b59)][[Rhingo Security Labs GCP Privilege Escalation](https://app.tidalcyber.com/references/55373476-1cbe-49f5-aecb-69d60b336d38)]\n\nServerless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://app.tidalcyber.com/technique/e1e42979-d3cd-461b-afc4-a6373cbf97ba)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://app.tidalcyber.com/technique/0799f2ee-3a83-452e-9fa9-83e91d83be25) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.[[Backdooring an AWS account](https://app.tidalcyber.com/references/2c867527-1584-44f7-b5e5-8ca54ea79619)] This is also possible in many cloud-based office application suites. For example, in Microsoft 365 environments, an adversary may create a Power Automate workflow that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.[[Varonis Power Automate Data Exfiltration](https://app.tidalcyber.com/references/16436468-1daf-433d-bb3b-f842119594b4)][[Microsoft DART Case Report 001](https://app.tidalcyber.com/references/bd8c6a86-1a63-49cd-a97f-3d119e4223d4)] In Google Workspace environments, they may instead create an Apps Script that exfiltrates a user's data when they open a file.[[Cloud Hack Tricks GWS Apps Script](https://app.tidalcyber.com/references/32569f13-e383-576c-813c-52490450464d)][[OWN-CERT Google App Script 2024](https://app.tidalcyber.com/references/1f837b2d-6b45-57ed-8d34-a78ce88cb998)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", + "Google Workspace", "IaaS", "Office 365", + "Office Suite", "SaaS" ], "source": "MITRE" @@ -3293,7 +3491,7 @@ "value": "Server Software Component" }, { - "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)] \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible [[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]. In some cases, adversaries may stop or disable many or all services to render systems unusable.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)] Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) or [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) on the data stores of services like Exchange and SQL Server.[[SecureWorks WannaCry Analysis](https://app.tidalcyber.com/references/522b2a19-1d15-48f8-8801-c64d3abd945a)]", + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)] \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)] In some cases, adversaries may stop or disable many or all services to render systems unusable.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)] Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) or [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) on the data stores of services like Exchange and SQL Server.[[SecureWorks WannaCry Analysis](https://app.tidalcyber.com/references/522b2a19-1d15-48f8-8801-c64d3abd945a)]", "meta": { "platforms": [ "Linux", @@ -3331,7 +3529,7 @@ "value": "Shared Modules" }, { - "description": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. \n\nAccess to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://app.tidalcyber.com/technique/944a7b91-c58e-567d-9e2c-515b93713c50) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD.[[SpecterOps Lateral Movement from Azure to On-Prem AD 2020](https://app.tidalcyber.com/references/eb97d3d6-21cb-5f27-9a78-1e8576acecdc)] Such services may also utilize [Web Protocols](https://app.tidalcyber.com/technique/9a21ec7b-9714-4073-9bf3-4df41995c698) to communicate back to adversary owned infrastructure.[[Mitiga Security Advisory: SSM Agent as Remote Access Trojan](https://app.tidalcyber.com/references/88fecbcd-a89b-536a-a1f6-6ddfb2b452da)]\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.[[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation](https://app.tidalcyber.com/references/a43dd8ce-23d6-5768-8522-6973dc45e1ac)]\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.", + "description": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. \n\nAccess to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://app.tidalcyber.com/technique/944a7b91-c58e-567d-9e2c-515b93713c50) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Entra ID.[[SpecterOps Lateral Movement from Azure to On-Prem AD 2020](https://app.tidalcyber.com/references/eb97d3d6-21cb-5f27-9a78-1e8576acecdc)] Such services may also utilize [Web Protocols](https://app.tidalcyber.com/technique/9a21ec7b-9714-4073-9bf3-4df41995c698) to communicate back to adversary owned infrastructure.[[Mitiga Security Advisory: SSM Agent as Remote Access Trojan](https://app.tidalcyber.com/references/88fecbcd-a89b-536a-a1f6-6ddfb2b452da)]\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.[[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation](https://app.tidalcyber.com/references/a43dd8ce-23d6-5768-8522-6973dc45e1ac)]\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.", "meta": { "platforms": [ "Linux", @@ -3359,6 +3557,9 @@ "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nSuch software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://app.tidalcyber.com/technique/1bcf9fb5-6848-44d9-b394-ffbd3c357058), and may allow adversaries broad access to infect devices or move laterally.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -3396,10 +3597,16 @@ "description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).[[Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)] Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nFor example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)] Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.[[Cider Security Top 10 CICD Security Risks](https://app.tidalcyber.com/references/512974b7-b464-52af-909a-2cb880b524e5)] If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)][[Microsoft - OAuth Code Authorization flow - June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)] An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)][[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)] The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.[[Microsoft - Azure AD App Registration - May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)] Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).[[Microsoft - Azure AD Identity Tokens - Aug 2019](https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)], allowing them to obtain new access tokens without prompting the user. \n\n", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", "Containers", + "GCP", "Google Workspace", + "IaaS", + "Identity Provider", "Office 365", + "Office Suite", "SaaS" ], "source": "MITRE" @@ -3414,10 +3621,11 @@ "value": "Steal Application Access Token" }, { - "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.[[O365 Blog Azure AD Device IDs](https://app.tidalcyber.com/references/ec94c043-92ef-4691-b21a-7ea68f39e338)][[Microsoft AD CS Overview](https://app.tidalcyber.com/references/f1b2526a-1bf6-4954-a9b3-a5e008761ceb)]\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)[[APT29 Deep Look at Credential Roaming](https://app.tidalcyber.com/references/691fb596-07b6-5c13-9cec-e28530ffde12)], misplaced certificate files (i.e. [Unsecured Credentials](https://app.tidalcyber.com/technique/02ed857b-ba39-4fab-b1d9-3ed2aa689dfd)), or directly from the Windows certificate store via various crypto APIs.[[SpecterOps Certified Pre Owned](https://app.tidalcyber.com/references/73b6a6a6-c2b8-4aed-9cbc-d3bdcbb97698)][[GitHub CertStealer](https://app.tidalcyber.com/references/da06ce8f-f950-4ae8-a62a-b59b236e91a3)][[GitHub GhostPack Certificates](https://app.tidalcyber.com/references/941e214d-4188-4ca0-9ef8-b26aa96373a2)] With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://app.tidalcyber.com/tactics/b17dde68-dbcf-4cfd-9bb8-be014ec65c37), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) via stealing or forging certificates that can be used as [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)] Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://app.tidalcyber.com/technique/12efebf8-9da4-446c-a627-b6f95524f1ea) ticket-granting tickets (TGT) or NTLM plaintext.[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]", + "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.[[O365 Blog Azure AD Device IDs](https://app.tidalcyber.com/references/ec94c043-92ef-4691-b21a-7ea68f39e338)][[Microsoft AD CS Overview](https://app.tidalcyber.com/references/f1b2526a-1bf6-4954-a9b3-a5e008761ceb)]\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)[[APT29 Deep Look at Credential Roaming](https://app.tidalcyber.com/references/691fb596-07b6-5c13-9cec-e28530ffde12)], misplaced certificate files (i.e. [Unsecured Credentials](https://app.tidalcyber.com/technique/02ed857b-ba39-4fab-b1d9-3ed2aa689dfd)), or directly from the Windows certificate store via various crypto APIs.[[SpecterOps Certified Pre Owned](https://app.tidalcyber.com/references/73b6a6a6-c2b8-4aed-9cbc-d3bdcbb97698)][[GitHub CertStealer](https://app.tidalcyber.com/references/da06ce8f-f950-4ae8-a62a-b59b236e91a3)][[GitHub GhostPack Certificates](https://app.tidalcyber.com/references/941e214d-4188-4ca0-9ef8-b26aa96373a2)] With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://app.tidalcyber.com/tactics/b17dde68-dbcf-4cfd-9bb8-be014ec65c37), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) via stealing or forging certificates that can be used as [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)] Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://app.tidalcyber.com/technique/12efebf8-9da4-446c-a627-b6f95524f1ea) ticket-granting tickets (TGT) or NTLM plaintext.[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]", "meta": { "platforms": [ "Azure AD", + "Identity Provider", "Linux", "macOS", "Windows" @@ -3434,7 +3642,7 @@ "value": "Steal or Forge Authentication Certificates" }, { - "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).[[ADSecurity Kerberos Ring Decoder](https://app.tidalcyber.com/references/5f78a554-2d5c-49af-8c6c-6e10f9aec997)] Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.[[Microsoft Klist](https://app.tidalcyber.com/references/f500340f-23fc-406a-97ef-0de787ef8cec)]\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.[[MIT ccache](https://app.tidalcyber.com/references/6a1b4373-2304-420c-8733-e1eae71ff7b2)] On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a). The ccache file may also be converted into a Windows format using tools such as Kekeo.[[Linux Kerberos Tickets](https://app.tidalcyber.com/references/5aea042f-4eb1-4092-89be-3db695053470)][[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)][[Kekeo](https://app.tidalcyber.com/references/0b69f0f5-dd4a-4926-9369-8253a0c3ddea)]\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.[[SpectorOps Bifrost Kerberos macOS 2019](https://app.tidalcyber.com/references/58ecb4e9-25fc-487b-9fed-25c781cc531b)][[macOS kerberos framework MIT](https://app.tidalcyber.com/references/8e09346b-03ce-4627-a365-f2f63089d1e0)]\n", + "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).[[ADSecurity Kerberos Ring Decoder](https://app.tidalcyber.com/references/5f78a554-2d5c-49af-8c6c-6e10f9aec997)] Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.[[Microsoft Klist](https://app.tidalcyber.com/references/f500340f-23fc-406a-97ef-0de787ef8cec)]\n", "meta": { "platforms": [ "Linux", @@ -3460,6 +3668,7 @@ "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -3535,6 +3744,9 @@ "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://app.tidalcyber.com/software/cecea681-a753-47b5-9d77-c10a5b4403ab) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather detailed system information (e.g. show version).[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)] [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.[[OSX.FairyTale](https://app.tidalcyber.com/references/27f8ad45-53d2-48ba-b549-f7674cf9c2e7)][[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.[[Amazon Describe Instance](https://app.tidalcyber.com/references/c0b6a8a4-0d94-414d-b5ab-cf5485240dee)][[Google Instances Resource](https://app.tidalcyber.com/references/9733447c-072f-4da8-9cc7-0a0ce6a3b820)][[Microsoft Virutal Machine API](https://app.tidalcyber.com/references/f565c237-07c5-4e9e-9879-513627517109)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -3556,6 +3768,9 @@ "description": "\nAdversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.[[FBI Ragnar Locker 2020](https://app.tidalcyber.com/references/38b9b8a3-6fd3-4650-9192-14ee3f302705)][[Sophos Geolocation 2016](https://app.tidalcyber.com/references/a3b7540d-20cc-4d94-8321-9fd730486f8c)][[Bleepingcomputer RAT malware 2020](https://app.tidalcyber.com/references/a587ea99-a951-4aa8-a3cf-a4822ae97490)] Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.[[FBI Ragnar Locker 2020](https://app.tidalcyber.com/references/38b9b8a3-6fd3-4650-9192-14ee3f302705)] In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.[[AWS Instance Identity Documents](https://app.tidalcyber.com/references/efff0080-59fc-4ba7-ac91-771358f68405)][[Microsoft Azure Instance Metadata 2021](https://app.tidalcyber.com/references/66e93b75-0067-4cdb-b695-8f8109ef26e0)]\n\nAdversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.[[Securelist Trasparent Tribe 2020](https://app.tidalcyber.com/references/0db470b1-ab22-4b67-a858-472e4de7c6f0)][[Sophos Geolocation 2016](https://app.tidalcyber.com/references/a3b7540d-20cc-4d94-8321-9fd730486f8c)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -3596,6 +3811,9 @@ "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.[[Amazon AWS VPC Guide](https://app.tidalcyber.com/references/7972332d-fbe9-4f14-9511-4298f65f2a86)][[Microsoft Azure Virtual Network Overview](https://app.tidalcyber.com/references/bf7f2e7a-f5ae-4b6e-8c90-fd41a92c4615)][[Google VPC Overview](https://app.tidalcyber.com/references/9ebe53cf-657f-475d-85e4-9e30f4af1e7d)] Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.\n\nUtilities and commands that acquire this information include [netstat](https://app.tidalcyber.com/software/132fb908-9f13-4bcf-aa64-74cbc72f5491), \"net use,\" and \"net session\" with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc). In Mac and Linux, [netstat](https://app.tidalcyber.com/software/132fb908-9f13-4bcf-aa64-74cbc72f5491) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\". Additionally, built-in features native to network devices and [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) may be used (e.g. show ip sockets, show tcp brief).[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS", "Linux", "macOS", @@ -3732,9 +3950,11 @@ "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://app.tidalcyber.com/technique/bfde0a09-8109-41e4-b8c9-68fe20e8131b) of directory .LNK files that use [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to look like the real directories, which are hidden through [Hidden Files and Directories](https://app.tidalcyber.com/technique/14e81a2d-9eca-429c-9fb9-08e109de9f6c). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. [[Retwin Directory Share Pivot](https://app.tidalcyber.com/references/027c5274-6b61-447a-9058-edb844f112dd)]\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.", "meta": { "platforms": [ + "Google Workspace", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -3798,9 +4018,13 @@ "description": "Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.[[TLDRSec AWS Attacks](https://app.tidalcyber.com/references/b8de9dd2-3c57-5417-a24f-0260dff6afc6)]\n\nAdversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.[[Microsoft Azure Storage Shared Access Signature](https://app.tidalcyber.com/references/9031357f-04ac-5c07-a59d-97b9e32edf79)]\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)] ", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "Google Workspace", "IaaS", "Office 365", + "Office Suite", "SaaS" ], "source": "MITRE" @@ -3835,10 +4059,17 @@ "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\n\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) used by the other party for access to internal network systems may be compromised and used.[[CISA IT Service Providers](https://app.tidalcyber.com/references/b8bee7f9-155e-4765-9492-01182e4435b7)]\n\nIn Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.[[Office 365 Delegated Administration](https://app.tidalcyber.com/references/fa0ed0fd-bf57-4a0f-9370-e22f27b20e42)]", "meta": { "platforms": [ + "AWS", + "Azure", + "Azure AD", + "GCP", + "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -3857,14 +4088,19 @@ "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://app.tidalcyber.com/technique/065d1cca-8ca5-4f8b-a333-2340706f589e)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://app.tidalcyber.com/technique/cdac2469-52ca-42a8-aefe-0321a7e3d658)), or other specialized files/artifacts (e.g. [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a)).[[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)]", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", "Containers", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Network", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -3883,6 +4119,9 @@ "description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\n\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\n\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.\n\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://app.tidalcyber.com/technique/d10c4a15-aeaa-4630-a7a3-3373c89a584f), which can cost organizations substantial amounts of money over time depending on the processing power used.[[CloudSploit - Unused AWS Regions](https://app.tidalcyber.com/references/7c237b73-233f-4fe3-b4a6-ce523fd82853)]", "meta": { "platforms": [ + "AWS", + "Azure", + "GCP", "IaaS" ], "source": "MITRE" @@ -3900,10 +4139,16 @@ "description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.[[NIST Authentication](https://app.tidalcyber.com/references/f3cfb9b9-62f4-4066-a2b9-7e6f25bd7a46)][[NIST MFA](https://app.tidalcyber.com/references/2f069bb2-3f59-409e-a337-7c69411c8b01)]\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://app.tidalcyber.com/tactics/0c3132d5-c0df-4793-b5f2-1a95bd64ab53) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\n", "meta": { "platforms": [ + "AWS", + "Azure", + "Azure AD", "Containers", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -3923,10 +4168,13 @@ "value": "Use Alternate Authentication Material" }, { - "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).\n\nWhile [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e)s; or downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872).[[Talos Roblox Scam 2023](https://app.tidalcyber.com/references/9371ee4a-ac23-5acb-af3f-132ef3645392)][[Krebs Discord Bookmarks 2023](https://app.tidalcyber.com/references/1d0a21f4-9a8e-5514-894a-3d55263ff973)]\n\nFor example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430).[[Telephone Attack Delivery](https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]", + "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).\n\nWhile [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).\n\nAdversaries may also deceive users into performing actions such as:\n\n* Enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary\n* Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e)s[[Talos Roblox Scam 2023](https://app.tidalcyber.com/references/9371ee4a-ac23-5acb-af3f-132ef3645392)][[Krebs Discord Bookmarks 2023](https://app.tidalcyber.com/references/1d0a21f4-9a8e-5514-894a-3d55263ff973)]\n* Downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872)\n* Coerceing users to copy, paste, and execute malicious code manually[[Reliaquest-execution](https://app.tidalcyber.com/references/c6febbb5-b994-5996-a42d-56d4cb151e83)][[proofpoint-selfpwn](https://app.tidalcyber.com/references/8f00ffc0-7094-5fd9-8ed4-9c129fd93c05)]\n\nFor example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430).[[Telephone Attack Delivery](https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]", "meta": { "platforms": [ + "AWS", + "Azure", "Containers", + "GCP", "IaaS", "Linux", "macOS", @@ -3947,14 +4195,19 @@ "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)] Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nIn some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.[[CISA MFA PrintNightmare](https://app.tidalcyber.com/references/fa03324e-c79c-422e-80f1-c270fd87d4e2)]\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.[[TechNet Credential Theft](https://app.tidalcyber.com/references/5c183c97-0ab2-4b75-8dbc-9db92a929ff4)]", "meta": { "platforms": [ + "AWS", + "Azure", "Azure AD", "Containers", + "GCP", "Google Workspace", "IaaS", + "Identity Provider", "Linux", "macOS", "Network", "Office 365", + "Office Suite", "SaaS", "Windows" ], @@ -4041,7 +4294,7 @@ "value": "Weaken Encryption" }, { - "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.[[Broadcom BirdyClient Microsoft Graph API 2024](https://app.tidalcyber.com/references/a55197e2-3ed7-5b6f-8ab5-06218c2226a4)] Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", "meta": { "platforms": [ "Linux", From a26dee8f7911becfd5cf7f94f2f13054cc084cf5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Nov 2024 15:48:20 +0100 Subject: [PATCH 19/21] chg: [readme] updated --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 36fc9aa..e44e26c 100644 --- a/README.md +++ b/README.md @@ -607,7 +607,7 @@ Category: *actor* - source: *MISP Project* - total: *763* elements [Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster -Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *83* elements +Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *102* elements [[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)] @@ -615,7 +615,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns [Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy -Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *206* elements +Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *224* elements [[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)] @@ -623,7 +623,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group [Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster -Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4349* elements +Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4627* elements [[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)] @@ -631,7 +631,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc [Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster -Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1053* elements +Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1106* elements [[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)] @@ -647,7 +647,7 @@ Category: *Tactic* - source: *https://app-api.tidalcyber.com/api/v1/tactic/* - t [Tidal Technique](https://www.misp-galaxy.org/tidal-technique) - Tidal Technique Cluster -Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *202* elements +Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *203* elements [[HTML](https://www.misp-galaxy.org/tidal-technique)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-technique.json)] From 53d19a1ce67d8421924876df41600259cbb14393 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Nov 2024 15:53:05 +0100 Subject: [PATCH 20/21] chg: [sigma] updated --- README.md | 2 +- clusters/sigma-rules.json | 3313 +++++++++++++++++++------------------ 2 files changed, 1672 insertions(+), 1643 deletions(-) diff --git a/README.md b/README.md index e44e26c..a66d2f3 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements [Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules. -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2970* elements +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2971* elements [[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index af929ed..d45c2c0 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -59,8 +59,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -127,8 +127,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -150,8 +150,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/cyber-security-summit/archives", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], @@ -395,8 +395,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://persistence-info.github.io/Data/aedebug.html", + "https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -419,12 +419,12 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" ], "tags": [ @@ -467,10 +467,10 @@ "logsource.product": "windows", "refs": [ "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", - "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", + "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -503,8 +503,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" ], "tags": [ @@ -540,8 +540,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -716,8 +716,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], @@ -751,8 +751,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/standa_t/status/1808868985678803222", "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf", + "https://twitter.com/standa_t/status/1808868985678803222", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml" ], "tags": [ @@ -785,9 +785,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -863,8 +863,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74", + "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml" ], "tags": [ @@ -1032,8 +1032,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -1203,9 +1203,9 @@ "logsource.product": "windows", "refs": [ "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", - "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", + "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -1271,8 +1271,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -1329,8 +1329,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -1371,9 +1371,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], "tags": [ @@ -1473,8 +1473,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -1507,8 +1507,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/", "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", + "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/", + "https://blog.talosintelligence.com/uat-5647-romcom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml" ], "tags": [ @@ -1541,9 +1542,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -1576,8 +1577,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ @@ -1663,8 +1664,8 @@ "logsource.product": "windows", "refs": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", - "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], "tags": [ @@ -1738,9 +1739,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", + "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -1893,8 +1894,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", + "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ @@ -1966,9 +1967,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/M_haggis/status/1699056847154725107", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], @@ -2250,8 +2251,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -2286,17 +2287,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://bunnyinside.com/?term=f71e8cb9c76a", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -2486,8 +2487,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", + "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -2520,8 +2521,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://youtu.be/zSihR3lTf7g", "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -2611,16 +2612,16 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://blog.sekoia.io/darkgate-internals/", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", - "https://blog.sekoia.io/darkgate-internals/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -2823,8 +2824,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", + "https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml" ], "tags": [ @@ -2858,14 +2859,14 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -3018,9 +3019,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -3053,8 +3054,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml" ], "tags": [ @@ -3115,8 +3116,8 @@ "logsource.product": "windows", "refs": [ "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], "tags": [ @@ -3555,8 +3556,8 @@ "logsource.product": "windows", "refs": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", - "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], "tags": [ @@ -3656,13 +3657,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -3764,8 +3765,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -3855,8 +3856,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://x.com/yarden_shafir/status/1822667605175324787", "https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf", + "https://x.com/yarden_shafir/status/1822667605175324787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml" ], "tags": [ @@ -3980,10 +3981,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", - "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", + "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", + "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" ], "tags": [ @@ -4108,9 +4109,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", - "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://persistence-info.github.io/Data/codesigning.html", + "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -4470,8 +4471,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", + "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -4537,8 +4538,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], @@ -4647,8 +4648,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/rootm0s/WinPwnage", + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -4681,8 +4682,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -4738,8 +4739,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/", "https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md", + "https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml" ], "tags": [ @@ -4806,9 +4807,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -4909,6 +4910,42 @@ "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", "value": "Potential Persistence Via TypedPaths" }, + { + "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n", + "meta": { + "author": "Ahmed Farouk, Nasreddine Bencherchali", + "creation_date": "2024-11-01", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_runmru_susp_command_execution.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/", + "https://www.forensafe.com/blogs/runmrukey.html", + "https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71", + "https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d", + "value": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" + }, { "description": "Detects that a powershell code is written to the registry as a service.", "meta": { @@ -5055,8 +5092,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", + "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -5157,8 +5194,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -5192,8 +5229,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/998627081360695297", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -5267,8 +5304,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://twitter.com/malmoeb/status/1560536653709598721", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -5291,11 +5328,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -5461,8 +5498,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml" ], "tags": [ @@ -5712,9 +5749,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://adsecurity.org/?p=1785", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials", "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/", - "https://adsecurity.org/?p=1785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml" ], "tags": [ @@ -5747,10 +5784,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -5996,8 +6033,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml" ], "tags": [ @@ -6088,8 +6125,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml" ], "tags": [ @@ -6163,8 +6200,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -6329,9 +6366,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "http://woshub.com/how-to-clear-rdp-connections-history/", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -6372,11 +6409,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/shell/launch", - "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://learn.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", + "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -6409,8 +6446,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -6554,9 +6591,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -6626,8 +6663,8 @@ "logsource.product": "windows", "refs": [ "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", - "https://twitter.com/inversecos/status/1494174785621819397", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], "tags": [ @@ -6660,11 +6697,11 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/cve-2021-1675", - "https://nvd.nist.gov/vuln/detail/cve-2021-34527", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -6734,10 +6771,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -6779,8 +6816,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -7080,8 +7117,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -7255,8 +7292,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157", "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" ], "tags": [ @@ -7430,8 +7467,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://wikileaks.org/vault7/#Pandemic", "https://twitter.com/MalwareJake/status/870349480356454401", + "https://wikileaks.org/vault7/#Pandemic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -7497,8 +7534,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -7745,10 +7782,10 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], @@ -7931,8 +7968,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -8309,8 +8346,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -8343,8 +8380,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml" ], "tags": [ @@ -8377,8 +8414,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", + "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml" @@ -8413,8 +8450,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml" ], "tags": [ @@ -8447,9 +8484,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -8516,8 +8553,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04", "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml" ], "tags": [ @@ -8550,8 +8587,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" ], @@ -8750,9 +8787,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://cydefops.com/vscode-data-exfiltration", + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" ], "tags": [ @@ -8785,8 +8822,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", + "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml" ], @@ -8864,13 +8901,13 @@ "logsource.product": "windows", "refs": [ "https://blog.sekoia.io/scattered-spider-laying-new-eggs/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "https://redcanary.com/blog/misbehaving-rats/", "https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], "tags": [ @@ -8903,17 +8940,17 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/RiccardoAncarani/LiquidSnake", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], @@ -8949,8 +8986,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" ], "tags": [ @@ -8985,8 +9022,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/kavika13/RemCom", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/kavika13/RemCom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml" ], "tags": [ @@ -9063,8 +9100,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" ], "tags": [ @@ -9098,8 +9135,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/poweradminllc/PAExec", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", + "https://github.com/poweradminllc/PAExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml" ], "tags": [ @@ -9311,10 +9348,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/issues/253", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -9382,8 +9419,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml" ], "tags": [ @@ -9450,8 +9487,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -9703,8 +9740,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", "https://lolbas-project.github.io", + "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml" ], "tags": [ @@ -9773,8 +9810,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/", "https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/", + "https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml" ], "tags": [ @@ -10099,8 +10136,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", "https://lolbas-project.github.io", + "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml" ], "tags": [ @@ -10275,8 +10312,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml" ], "tags": [ @@ -10458,8 +10495,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -10525,8 +10562,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", "https://github.com/GhostPack/SafetyKatz", + "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" ], "tags": [ @@ -10547,7 +10584,7 @@ "value": "HackTool - SafetyKatz Dump Indicator" }, { - "description": "Detects Rclone config file being created", + "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-18", @@ -10568,7 +10605,7 @@ ] }, "uuid": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", - "value": "RDP File Creation From Suspicious Application" + "value": ".RDP File Created By Uncommon Application" }, { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", @@ -10684,8 +10721,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -10777,9 +10814,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/IExpress", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml" ], "tags": [ @@ -10961,11 +10998,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -10998,9 +11035,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ @@ -11305,8 +11342,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" ], "tags": [ @@ -11339,10 +11376,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Yaxser/Backstab", "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", - "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", + "https://github.com/Yaxser/Backstab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -11476,8 +11513,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -11510,8 +11547,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml" ], "tags": [ @@ -11545,8 +11582,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "Internal Research", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], @@ -11604,8 +11641,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" @@ -11729,8 +11766,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -11787,8 +11824,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -11811,8 +11848,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -11994,8 +12031,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "http://www.irongeek.com/homoglyph-attack-generator.php", + "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml" ], "tags": [ @@ -12102,8 +12139,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://adsecurity.org/?p=2398", + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml" ], "tags": [ @@ -12400,9 +12437,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "http://addbalance.com/word/startup.htm", + "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], @@ -12436,8 +12473,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32", "https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml" ], "tags": [ @@ -12477,8 +12514,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -12535,26 +12572,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/besimorhino/powercat", - "https://github.com/adrecon/ADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/samratashok/nishang", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/adrecon/AzureADRecon", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/CsEnox/EventViewer-UACBypass", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/samratashok/nishang", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/adrecon/ADRecon", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/besimorhino/powercat", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -12708,13 +12745,13 @@ "logsource.product": "windows", "refs": [ "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/CCob/MirrorDump", - "https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258", "https://github.com/helpsystems/nanodump", + "https://www.google.com/search?q=procdump+lsass", + "https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/CCob/MirrorDump", "https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.google.com/search?q=procdump+lsass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -12815,9 +12852,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], @@ -12884,8 +12921,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile", "https://twitter.com/nas_bench/status/1550836225652686848", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml" ], "tags": [ @@ -13049,8 +13086,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -13107,9 +13144,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -13200,8 +13237,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/powershellprofile.html", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -13235,10 +13272,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -13545,8 +13582,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ @@ -13602,8 +13639,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" @@ -13863,10 +13900,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], @@ -13900,10 +13937,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -14071,8 +14108,8 @@ "refs": [ "https://github.com/FireFart/hivenightmare/", "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -14106,9 +14143,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -14145,6 +14182,31 @@ "uuid": "117d3d3a-755c-4a61-b23e-9171146d094c", "value": "Suspicious Outlook Macro Created" }, + { + "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2024-11-01", + "falsepositive": [ + "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments" + ], + "filename": "file_event_win_office_outlook_rdp_file_creation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29", + "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/", + "https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml" + ], + "tags": [ + "attack.defense-evasion" + ] + }, + "uuid": "f748c45a-f8d3-4e6f-b617-fe176f695b8f", + "value": ".RDP File Created by Outlook Process" + }, { "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", "meta": { @@ -14251,8 +14313,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", + "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" ], "tags": [ @@ -14286,8 +14348,8 @@ "logsource.product": "windows", "refs": [ "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", - "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -14445,9 +14507,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], "tags": [ @@ -14480,8 +14542,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml" ], "tags": [ @@ -14514,8 +14576,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -14540,11 +14602,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", - "https://twitter.com/pfiatde/status/1681977680688738305", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -14577,8 +14639,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://www.joesandbox.com/analysis/465533/0/html", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -14661,10 +14723,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], @@ -14698,8 +14760,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -14758,11 +14820,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", + "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], @@ -14787,8 +14849,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml" ], "tags": [ @@ -15021,8 +15083,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1465282548494487554", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", + "https://twitter.com/0gtweet/status/1465282548494487554", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -15111,12 +15173,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/Wh04m1001/SysmonEoP", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -15262,10 +15324,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/FireFart/hivenightmare", - "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934", "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/HuskyHacks/ShadowSteal", + "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934", "https://github.com/search?q=CVE-2021-36934", + "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -15366,8 +15428,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml" ], "tags": [ @@ -15469,8 +15531,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml" ], "tags": [ @@ -15503,8 +15565,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://www.passcape.com/windows_password_recovery_dpapi_credhist", + "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credhist.yml" ], "tags": [ @@ -15603,8 +15665,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" ], "tags": [ @@ -15827,8 +15889,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/cube0x0/CVE-2021-1675", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], "tags": [ @@ -15931,8 +15993,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://linuxhint.com/view-tomcat-logs-windows/", "Internal Research", + "https://linuxhint.com/view-tomcat-logs-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml" ], "tags": [ @@ -15965,8 +16027,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -16032,9 +16094,9 @@ "logsource.category": "file_executable_detected", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/IExpress", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml" ], "tags": [ @@ -16480,8 +16542,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -16515,9 +16577,9 @@ "logsource.product": "windows", "refs": [ "https://www.elastic.co/security-labs/operation-bleeding-bear", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ @@ -16569,8 +16631,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml" ], "tags": [ @@ -16660,9 +16722,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -16780,12 +16842,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", - "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", - "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", - "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", + "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", + "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ @@ -16818,13 +16880,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -16857,9 +16919,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ @@ -16901,8 +16963,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": [ @@ -16936,9 +16998,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://ss64.com/bash/rar.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ @@ -17028,8 +17090,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", "https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019", + "https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml" ], "tags": [ @@ -17230,10 +17292,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/IExpress", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", + "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" ], "tags": [ @@ -17299,8 +17361,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" @@ -17417,9 +17479,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -17523,9 +17585,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" ], "tags": [ @@ -17558,8 +17620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://www.pingcastle.com/documentation/scanner/", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml" ], "tags": [ @@ -17601,8 +17663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -17710,8 +17772,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -17760,9 +17822,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -17927,8 +17989,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/mandiant/SharPersist", + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" ], "tags": [ @@ -17984,13 +18046,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/zcgonvh/NTDSDumpEx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -18056,8 +18118,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -18168,8 +18230,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://dtm.uk/wuauclt/", "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", + "https://dtm.uk/wuauclt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml" ], "tags": [ @@ -18312,8 +18374,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://tools.thehacker.recipes/mimikatz/modules", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": [ @@ -18501,9 +18563,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -18612,10 +18674,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -18726,9 +18788,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], @@ -18796,9 +18858,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", + "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -19271,8 +19333,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml" ], "tags": [ @@ -19305,9 +19367,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -19366,10 +19428,10 @@ "logsource.product": "windows", "refs": [ "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", - "https://twitter.com/Hexacorn/status/885553465417756673", "https://twitter.com/vysecurity/status/885545634958385153", "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885570278637678592", + "https://twitter.com/Hexacorn/status/885553465417756673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -19458,8 +19520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -19690,8 +19752,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", + "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], @@ -19758,8 +19820,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.localpotato.com/localpotato_html/LocalPotato.html", "https://github.com/decoder-it/LocalPotato", + "https://www.localpotato.com/localpotato_html/LocalPotato.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ @@ -19818,8 +19880,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml" ], "tags": [ @@ -20035,8 +20097,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -20177,9 +20239,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/lnk-between-browsers", - "https://redcanary.com/blog/chromeloader/", "https://emkc.org/s/RJjuLa", + "https://redcanary.com/blog/chromeloader/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" ], "tags": [ @@ -20312,9 +20374,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://linux.die.net/man/1/bash", "Internal Research", "https://lolbas-project.github.io/lolbas/Binaries/Bash/", + "https://linux.die.net/man/1/bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], "tags": [ @@ -20517,9 +20579,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml" ], "tags": [ @@ -20575,10 +20637,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" ], "tags": [ @@ -20611,8 +20673,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ @@ -20737,11 +20799,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", - "https://twitter.com/aceresponder/status/1636116096506818562", - "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", - "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", + "https://twitter.com/aceresponder/status/1636116096506818562", + "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", + "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", + "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -20775,8 +20837,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], @@ -20921,11 +20983,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -20992,10 +21054,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", - "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" ], "tags": [ @@ -21028,9 +21090,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -21063,8 +21125,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -21097,9 +21159,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -21134,9 +21196,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], "tags": [ @@ -21347,10 +21409,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -21374,8 +21436,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -21497,8 +21559,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ @@ -21565,8 +21627,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://twitter.com/nas_bench/status/1550836225652686848", + "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -21624,8 +21686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml" ], "tags": [ @@ -21700,10 +21762,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -21792,8 +21854,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", + "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], @@ -21861,10 +21923,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" ], "tags": [ @@ -22147,11 +22209,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://man.openbsd.org/ssh_config#LocalCommand", - "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", + "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", + "https://man.openbsd.org/ssh_config#LocalCommand", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml" ], "tags": [ @@ -22186,8 +22248,8 @@ "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -22230,8 +22292,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.intrinsec.com/apt27-analysis/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], @@ -22473,8 +22535,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -22831,9 +22893,9 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://redcanary.com/blog/msix-installers/", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -22867,8 +22929,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml" ], @@ -22902,8 +22964,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/", "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", + "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml" ], "tags": [ @@ -23050,10 +23112,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -23261,8 +23323,8 @@ "logsource.product": "windows", "refs": [ "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -23329,13 +23391,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://github.com/mttaggart/quasar", - "https://taggart-tech.com/quasar-electron/", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://github.com/mttaggart/quasar", "https://positive.security/blog/ms-officecmd-rce", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://taggart-tech.com/quasar-electron/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -23392,8 +23454,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -23459,8 +23521,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/threat-detection/process-masquerading/", "https://tria.ge/240731-jh4crsycnb/behavioral2", + "https://redcanary.com/blog/threat-detection/process-masquerading/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml" ], "tags": [ @@ -23493,8 +23555,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1641712700605513729", "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", + "https://twitter.com/Oddvarmoe/status/1641712700605513729", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ @@ -23505,7 +23567,7 @@ "value": "Computer Password Change Via Ksetup.EXE" }, { - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior", "creation_date": "2022-09-01", @@ -23517,10 +23579,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], @@ -23554,13 +23616,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/78944/", - "https://www.huntress.com/blog/attacking-mssql-servers", "https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/", - "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii", + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://docs.microsoft.com/en-us/sql/tools/bcp-utility", + "https://www.huntress.com/blog/attacking-mssql-servers", "https://asec.ahnlab.com/en/61000/", + "https://asec.ahnlab.com/en/78944/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml" ], "tags": [ @@ -23593,9 +23655,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ @@ -23638,9 +23700,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -23729,8 +23791,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1638069413717975046", "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", + "https://twitter.com/0gtweet/status/1638069413717975046", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml" ], "tags": [ @@ -23764,8 +23826,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" ], "tags": [ @@ -23832,8 +23894,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -23866,8 +23928,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": [ @@ -23942,8 +24004,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -24009,9 +24071,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", "https://tria.ge/240521-ynezpagf56/behavioral1", "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/", - "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml" ], @@ -24045,8 +24107,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -24083,8 +24145,8 @@ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://twitter.com/cglyer/status/1355171195654709249", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -24117,8 +24179,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -24259,9 +24321,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], "tags": [ @@ -24295,9 +24357,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], "tags": [ @@ -24330,8 +24392,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml" ], "tags": [ @@ -24364,9 +24426,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml" ], "tags": [ @@ -24399,8 +24461,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -24508,8 +24570,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -24610,13 +24672,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", - "https://github.com/vletoux/pingcastle", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", + "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://github.com/vletoux/pingcastle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], "tags": [ @@ -24649,9 +24711,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml" ], "tags": [ @@ -24684,9 +24746,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/lnk-between-browsers", - "https://redcanary.com/blog/chromeloader/", "https://emkc.org/s/RJjuLa", + "https://redcanary.com/blog/chromeloader/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -24719,11 +24781,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -24800,10 +24862,10 @@ "logsource.product": "windows", "refs": [ "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/CCob/MirrorDump", "https://github.com/helpsystems/nanodump", "https://github.com/Hackndo/lsassy", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/CCob/MirrorDump", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], @@ -24837,8 +24899,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -24920,9 +24982,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.php.net/manual/en/features.commandline.php", "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.php.net/manual/en/features.commandline.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -24980,8 +25042,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -25081,9 +25143,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" ], "tags": [ @@ -25227,8 +25289,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/Max_Mal_/status/1633863678909874176", + "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "Internal Research", "https://twitter.com/_JohnHammond/status/1588155401752788994", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" @@ -25296,8 +25358,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -25386,8 +25448,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], @@ -25421,9 +25483,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], "tags": [ @@ -25490,10 +25552,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/defaultnamehere/cookie_crimes/", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -25592,9 +25654,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -25627,8 +25689,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml" ], "tags": [ @@ -25695,9 +25757,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" ], "tags": [ @@ -25753,8 +25815,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1465058133303246867", "https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", + "https://twitter.com/mrd0x/status/1465058133303246867", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" ], "tags": [ @@ -25788,9 +25850,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -25824,8 +25886,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml" ], "tags": [ @@ -25959,8 +26021,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml" ], "tags": [ @@ -26044,8 +26106,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ @@ -26144,8 +26206,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml" ], "tags": [ @@ -26179,8 +26241,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], @@ -26232,8 +26294,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", + "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -26266,12 +26328,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://redcanary.com/blog/raspberry-robin/", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -26337,9 +26399,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://www.gpg4win.de/documentation.html", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], "tags": [ @@ -26396,10 +26458,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", - "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" ], "tags": [ @@ -26432,8 +26494,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ @@ -26499,9 +26561,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nettitude/SharpWSUS", - "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1", "https://labs.nettitude.com/blog/introducing-sharpwsus/", + "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1", + "https://github.com/nettitude/SharpWSUS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml" ], "tags": [ @@ -26829,8 +26891,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -26939,8 +27001,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ @@ -27064,8 +27126,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -27099,11 +27161,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], "tags": [ @@ -27196,10 +27258,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/antonioCoco/RogueWinRM", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -27232,8 +27294,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -27613,11 +27675,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], @@ -27749,8 +27811,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ @@ -27817,10 +27879,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/cloudflare/cloudflared/releases", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], "tags": [ @@ -27853,9 +27915,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534915321856917506", "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534915321856917506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], "tags": [ @@ -27931,9 +27993,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://www.gpg4win.de/documentation.html", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], "tags": [ @@ -28058,8 +28120,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" ], "tags": [ @@ -28092,9 +28154,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records", - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -28128,8 +28190,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -28276,9 +28338,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -28344,8 +28406,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1638069413717975046", "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", + "https://twitter.com/0gtweet/status/1638069413717975046", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml" ], "tags": [ @@ -28412,8 +28474,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://twitter.com/_felamos/status/1179811992841797632", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" ], "tags": [ @@ -28504,9 +28566,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://reaqta.com/2017/11/short-journey-darkvnc/", "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", - "https://reaqta.com/2017/11/short-journey-darkvnc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" ], "tags": [ @@ -28564,8 +28626,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/sharpmove/", "https://github.com/0xthirteen/SharpMove/", + "https://pentestlab.blog/tag/sharpmove/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml" ], "tags": [ @@ -28598,12 +28660,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" ], "tags": [ @@ -28646,9 +28708,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -28738,8 +28800,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/impersonate", "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", + "https://github.com/sensepost/impersonate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -28781,8 +28843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml" ], "tags": [ @@ -28907,13 +28969,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -29047,8 +29109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" ], "tags": [ @@ -29147,8 +29209,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", "https://twitter.com/mrd0x/status/1460815932402679809", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" ], "tags": [ @@ -29182,8 +29244,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", + "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" ], "tags": [ @@ -29216,9 +29278,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -29285,8 +29347,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -29320,10 +29382,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", - "https://twitter.com/EricaZelic/status/1614075109827874817", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://twitter.com/EricaZelic/status/1614075109827874817", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -29373,8 +29435,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -29476,12 +29538,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" @@ -29600,9 +29662,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -29680,8 +29742,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -29714,10 +29776,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -29815,9 +29877,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -29874,9 +29936,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -29909,9 +29971,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -29969,9 +30031,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -30014,8 +30076,8 @@ "logsource.product": "windows", "refs": [ "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -30048,9 +30110,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/RedDrip7/status/1506480588827467785", - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", + "https://twitter.com/RedDrip7/status/1506480588827467785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -30118,8 +30180,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" ], @@ -30194,9 +30256,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -30297,17 +30359,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -30407,8 +30469,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml" ], "tags": [ @@ -30484,8 +30546,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/msbuild.exe", "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://www.echotrail.io/insights/search/msbuild.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ @@ -30622,9 +30684,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-windows-executable", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/threat-detection-report/", + "https://www.cobaltstrike.com/help-windows-executable", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -30657,8 +30719,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" @@ -30737,8 +30799,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unicode-explorer.com/c/202E", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", + "https://unicode-explorer.com/c/202E", "https://redcanary.com/blog/right-to-left-override/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], @@ -30839,8 +30901,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ @@ -30974,9 +31036,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -31010,11 +31072,11 @@ "logsource.product": "windows", "refs": [ "https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", + "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", - "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", "https://www.softperfect.com/products/networkscanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml" ], @@ -31312,8 +31374,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ @@ -31523,9 +31585,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://twitter.com/ForensicITGuy/status/1334734244120309760", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -31576,8 +31638,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -31680,9 +31742,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -31747,8 +31809,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml" ], "tags": [ @@ -31923,8 +31985,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml" ], "tags": [ @@ -32051,9 +32113,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ @@ -32094,8 +32156,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], @@ -32129,10 +32191,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -32190,8 +32252,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" ], "tags": [ @@ -32259,8 +32321,8 @@ "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -32361,11 +32423,11 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://isc.sans.edu/diary/22264", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -32408,9 +32470,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml" ], "tags": [ @@ -32444,8 +32506,8 @@ "logsource.product": "windows", "refs": [ "https://www.phpied.com/make-your-javascript-a-windows-exe/", - "https://twitter.com/DissectMalware/status/998797808907046913", "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", + "https://twitter.com/DissectMalware/status/998797808907046913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml" ], "tags": [ @@ -32554,8 +32616,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", + "https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml" ], "tags": [ @@ -32698,9 +32760,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/grayhatkiller/SharpExShell", - "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], "tags": [ @@ -32734,8 +32796,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -32968,10 +33030,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/nas_bench/status/1535322450858233858", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -33005,8 +33067,8 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", - "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://unit42.paloaltonetworks.com/chromeloader-malware/", + "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], "tags": [ @@ -33050,8 +33112,8 @@ "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -33142,9 +33204,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -33178,12 +33240,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" @@ -33250,9 +33312,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -33366,9 +33428,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", "https://www.scythe.io/library/threat-emulation-qakbot", + "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], "tags": [ @@ -33424,8 +33486,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], @@ -33461,9 +33523,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -33531,8 +33593,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -33565,9 +33627,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -33608,9 +33670,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], "tags": [ @@ -33802,8 +33864,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ @@ -33871,8 +33933,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", - "https://twitter.com/mrd0x/status/1511415432888131586", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], @@ -33949,9 +34011,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ @@ -33984,11 +34046,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -34072,9 +34134,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -34234,9 +34296,9 @@ "refs": [ "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", "https://github.com/AlessandroZ/LaZagne/tree/master", + "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml" ], "tags": [ @@ -34259,8 +34321,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ @@ -34427,8 +34489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -34495,10 +34557,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -34531,10 +34593,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml" ], "tags": [ @@ -34566,8 +34628,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" ], "tags": [ @@ -34600,8 +34662,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/mklink.html", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", + "https://ss64.com/nt/mklink.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -34680,10 +34742,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], "tags": [ @@ -34827,11 +34889,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" ], "tags": [ @@ -34906,8 +34968,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://securityxploded.com/", + "https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" ], "tags": [ @@ -34940,10 +35002,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://github.com/defaultnamehere/cookie_crimes/", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -35180,8 +35242,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://nmap.org/ncat/", "https://www.revshells.com/", + "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -35364,8 +35426,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -35440,9 +35502,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -35499,11 +35561,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://blog.alyac.co.kr/1901", + "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -35554,11 +35616,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive", "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", - "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -35624,8 +35686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml" ], "tags": [ @@ -35658,9 +35720,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -35716,8 +35778,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" ], "tags": [ @@ -35751,8 +35813,8 @@ "logsource.product": "windows", "refs": [ "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", - "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", "https://twitter.com/n1nj4sec/status/1421190238081277959", + "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" ], "tags": [ @@ -35818,9 +35880,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -35876,8 +35938,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -36036,9 +36098,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], "tags": [ @@ -36072,11 +36134,11 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/eral4m/status/1479106975967240209", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/Hexacorn/status/885258886428725250", - "https://twitter.com/nas_bench/status/1433344116071583746", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -36175,9 +36237,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", + "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -36304,11 +36366,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -36416,8 +36478,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", "https://twitter.com/Hexacorn/status/1224848930795552769", + "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml" ], "tags": [ @@ -36440,8 +36502,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/quarkslab/quarkspwdump", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/quarkslab/quarkspwdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -36516,9 +36578,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], "tags": [ @@ -36609,8 +36671,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml" ], "tags": [ @@ -36719,8 +36781,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ @@ -36892,8 +36954,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -36959,8 +37021,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-opsec", "https://twitter.com/ber_m1ng/status/1397948048135778309", + "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" ], "tags": [ @@ -37059,11 +37121,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1628720819537936386", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://twitter.com/0gtweet/status/1628720819537936386", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -37098,8 +37160,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://docs.python.org/3/using/cmdline.html#cmdoption-c", + "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], @@ -37257,9 +37319,9 @@ "logsource.product": "windows", "refs": [ "https://www.intrinsec.com/akira_ransomware/", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", - "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", + "https://github.com/cloudflare/cloudflared", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" ], "tags": [ @@ -37292,8 +37354,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" ], "tags": [ @@ -37375,8 +37437,8 @@ "logsource.product": "windows", "refs": [ "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", - "https://lab52.io/blog/winter-vivern-all-summer/", "https://hatching.io/blog/powershell-analysis/", + "https://lab52.io/blog/winter-vivern-all-summer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -37478,8 +37540,8 @@ "refs": [ "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -37563,9 +37625,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -37631,9 +37693,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -37683,8 +37745,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1534957360032120833", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml" ], "tags": [ @@ -37834,8 +37896,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": [ @@ -37936,8 +37998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ @@ -37970,8 +38032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ @@ -38090,8 +38152,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], @@ -38448,10 +38510,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://nodejs.org/api/cli.html", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -38484,9 +38546,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" ], "tags": [ @@ -38509,9 +38571,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ @@ -38545,9 +38607,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" ], "tags": [ @@ -38637,24 +38699,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/besimorhino/powercat", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/adrecon/ADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/samratashok/nishang", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/adrecon/AzureADRecon", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/besimorhino/powercat", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://adsecurity.org/?p=2921", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -38836,9 +38898,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", - "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml" ], "tags": [ @@ -38905,8 +38967,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml" ], "tags": [ @@ -38939,8 +39001,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ @@ -39081,9 +39143,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -39226,10 +39288,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/cloudflare/cloudflared/releases", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], "tags": [ @@ -39412,9 +39474,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", - "https://twitter.com/pabraeken/status/990758590020452353", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://twitter.com/pabraeken/status/990758590020452353", + "https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -39573,8 +39635,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://twitter.com/blackorbird/status/1140519090961825792", + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -39642,10 +39704,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -39678,9 +39740,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml" ], "tags": [ @@ -39714,8 +39776,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml" ], "tags": [ @@ -39771,12 +39833,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.localpotato.com/", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://github.com/ohpe/juicy-potato", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://www.localpotato.com/", "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://github.com/ohpe/juicy-potato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -39877,12 +39939,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -39923,9 +39985,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], "tags": [ @@ -40024,8 +40086,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pdq.com/pdq-deploy/", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://www.pdq.com/pdq-deploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" ], "tags": [ @@ -40059,8 +40121,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", + "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml" ], "tags": [ @@ -40094,8 +40156,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -40233,13 +40295,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://ngrok.com/docs", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://twitter.com/xorJosh/status/1598646907802451969", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://ngrok.com/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -40305,9 +40367,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ @@ -40446,8 +40508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://twitter.com/0gtweet/status/1628720819537936386", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], @@ -40558,8 +40620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", + "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], @@ -40659,8 +40721,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" ], "tags": [ @@ -40726,8 +40788,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -40795,9 +40857,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -40830,12 +40892,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -40868,10 +40930,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -40994,15 +41056,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://github.com/Neo23x0/Raccine#the-process", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -41077,9 +41139,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ @@ -41229,8 +41291,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.radmin.fr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://www.radmin.fr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -41264,9 +41326,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -41300,9 +41362,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", "https://adsecurity.org/?p=2604", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -41335,9 +41397,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -41443,8 +41505,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -41568,12 +41630,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -41606,10 +41668,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -41642,9 +41704,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -41701,9 +41763,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/M_haggis/status/1699056847154725107", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], @@ -41728,8 +41790,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", + "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], @@ -41883,10 +41945,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -41952,16 +42014,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://bunnyinside.com/?term=f71e8cb9c76a", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -42017,10 +42079,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://twitter.com/mattifestation/status/1326228491302563846", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://twitter.com/mattifestation/status/1326228491302563846", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], @@ -42072,14 +42134,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", - "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://www.group-ib.com/blog/apt41-world-tour-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], @@ -42191,8 +42253,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57", + "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" ], "tags": [ @@ -42283,9 +42345,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], @@ -42345,9 +42407,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], "tags": [ @@ -42383,8 +42445,8 @@ "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -42493,13 +42555,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-opsec", - "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -42588,9 +42650,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -42656,8 +42718,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml" ], "tags": [ @@ -42770,9 +42832,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ @@ -42894,8 +42956,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://redcanary.com/blog/gootloader/", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml" ], "tags": [ @@ -42936,8 +42998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -43029,8 +43091,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ @@ -43154,11 +43216,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", - "https://twitter.com/pfiatde/status/1681977680688738305", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -43258,8 +43320,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" ], "tags": [ @@ -43393,10 +43455,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/ReaQta/status/1222548288731217921", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", - "https://twitter.com/ReaQta/status/1222548288731217921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -43464,8 +43526,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://redcanary.com/blog/raspberry-robin/", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -43655,8 +43717,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -44007,9 +44069,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -44201,8 +44263,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://twitter.com/pabraeken/status/993298228840992768", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -44514,9 +44576,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -44549,8 +44611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml" ], "tags": [ @@ -44573,9 +44635,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -44776,8 +44838,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ @@ -44810,11 +44872,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -44864,8 +44926,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" @@ -45049,13 +45111,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://twitter.com/SBousseaden/status/1167417096374050817", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", - "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/Wietze/status/1542107456507203586", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -45099,8 +45161,8 @@ "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -45133,8 +45195,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" ], "tags": [ @@ -45168,9 +45230,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -45203,8 +45265,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/nt/for.html", "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], @@ -45247,9 +45309,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -45316,8 +45378,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ @@ -45501,8 +45563,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -45536,8 +45598,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -45628,9 +45690,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml" ], "tags": [ @@ -45699,9 +45761,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" @@ -45796,8 +45858,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/yarrick/iodine", "https://github.com/iagox86/dnscat2", + "https://github.com/yarrick/iodine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" ], "tags": [ @@ -45881,11 +45943,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -45918,10 +45980,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://atomicredteam.io/defense-evasion/T1220/", "https://twitter.com/mattifestation/status/986280382042595328", - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -45980,8 +46042,8 @@ "logsource.product": "windows", "refs": [ "https://abuse.io/lockergoga.txt", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ @@ -46144,13 +46206,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", - "https://github.com/vletoux/pingcastle", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", + "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://github.com/vletoux/pingcastle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], "tags": [ @@ -46183,8 +46245,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -46293,8 +46355,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -46471,8 +46533,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://nmap.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -46505,11 +46567,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://twitter.com/bohops/status/980659399495741441", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -46542,8 +46604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -46677,9 +46739,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -46854,12 +46916,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -46934,11 +46996,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://twitter.com/christophetd/status/1164506034720952320", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://twitter.com/christophetd/status/1164506034720952320", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -47071,9 +47133,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -47183,9 +47245,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -47267,8 +47329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml" ], "tags": [ @@ -47517,8 +47579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml" ], "tags": [ @@ -47619,12 +47681,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://positive.security/blog/ms-officecmd-rce", + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" ], "tags": [ @@ -47647,8 +47709,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml" ], "tags": [ @@ -47801,8 +47863,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -47935,10 +47997,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/max_mal_/status/1542461200797163522", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://twitter.com/max_mal_/status/1542461200797163522", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], @@ -47972,9 +48034,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", - "https://twitter.com/bryon_/status/975835709587075072", "https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://twitter.com/bryon_/status/975835709587075072", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], "tags": [ @@ -48065,9 +48127,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", "https://boinc.berkeley.edu/", "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", - "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml" ], "tags": [ @@ -48142,9 +48204,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -48236,8 +48298,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" ], "tags": [ @@ -48333,9 +48395,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://securelist.com/locked-out/68960/", "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], "tags": [ @@ -48401,10 +48463,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -48575,8 +48637,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://twitter.com/eral4m/status/1451112385041911809", + "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" ], "tags": [ @@ -48700,8 +48762,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -48757,8 +48819,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], @@ -48833,8 +48895,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ @@ -48979,8 +49041,8 @@ "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://twitter.com/0gtweet/status/1583356502340870144", "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://twitter.com/0gtweet/status/1583356502340870144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml" ], "tags": [ @@ -49021,10 +49083,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -49057,14 +49119,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -49284,8 +49346,8 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ @@ -49322,8 +49384,8 @@ "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -49365,10 +49427,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://vms.drweb.fr/virus/?i=24144899", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://vms.drweb.fr/virus/?i=24144899", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -49401,9 +49463,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -49486,8 +49548,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -49637,8 +49699,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -49672,9 +49734,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://twitter.com/nas_bench/status/1537896324837781506", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -49707,8 +49769,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/fatedier/frp", "https://asec.ahnlab.com/en/38156/", + "https://github.com/fatedier/frp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml" ], "tags": [ @@ -49865,8 +49927,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" ], "tags": [ @@ -49932,9 +49994,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", + "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" ], "tags": [ @@ -50001,8 +50063,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/989617817849876488", "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://twitter.com/harr0ey/status/989617817849876488", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml" ], "tags": [ @@ -50035,8 +50097,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], @@ -50079,8 +50141,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ @@ -50196,8 +50258,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://twitter.com/fr0s7_/status/1712780207105404948", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], @@ -50221,10 +50283,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -50355,8 +50417,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml" ], "tags": [ @@ -50468,8 +50530,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" ], "tags": [ @@ -50502,9 +50564,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -50537,8 +50599,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" ], "tags": [ @@ -50579,8 +50641,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/", + "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml" ], "tags": [ @@ -50614,8 +50676,8 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -50783,9 +50845,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173", - "https://github.com/Ylianst/MeshAgent", "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55", + "https://github.com/Ylianst/MeshAgent", + "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml" ], "tags": [ @@ -50895,9 +50957,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/electron/rcedit", "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", - "https://github.com/electron/rcedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ @@ -50988,13 +51050,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -51052,8 +51114,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sourceforge.net/projects/mouselock/", "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ @@ -51087,8 +51149,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://twitter.com/0gtweet/status/1564968845726580736", + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], @@ -51164,8 +51226,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "http://www.irongeek.com/homoglyph-attack-generator.php", + "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml" ], "tags": [ @@ -51207,11 +51269,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" ], "tags": [ @@ -51286,8 +51348,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -51321,8 +51383,8 @@ "logsource.product": "windows", "refs": [ "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/jpillora/chisel/", + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ @@ -51389,8 +51451,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml" ], "tags": [ @@ -51423,9 +51485,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], "tags": [ @@ -51482,10 +51544,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -51551,9 +51613,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -51670,8 +51732,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -51875,8 +51937,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ @@ -52010,8 +52072,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.autohotkey.com/download/", "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", + "https://www.autohotkey.com/download/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ @@ -52067,9 +52129,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", + "https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ @@ -52178,9 +52240,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", "https://github.com/outflanknl/NetshHelperBeacon", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -52383,8 +52445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HiwinCN/HTran", "https://github.com/cw1997/NATBypass", + "https://github.com/HiwinCN/HTran", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" ], "tags": [ @@ -52494,10 +52556,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://twitter.com/vysecurity/status/873181705024266241", "https://twitter.com/vysecurity/status/974806438316072960", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], "tags": [ @@ -52530,8 +52592,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" ], "tags": [ @@ -52664,9 +52726,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -52699,8 +52761,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -52841,9 +52903,9 @@ "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -53139,8 +53201,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ @@ -53174,8 +53236,8 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", - "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://unit42.paloaltonetworks.com/chromeloader-malware/", + "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], "tags": [ @@ -53353,8 +53415,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/frgnca/AudioDeviceCmdlets", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -53633,9 +53695,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" ], "tags": [ @@ -53670,6 +53732,7 @@ "logsource.product": "windows", "refs": [ "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://blog.talosintelligence.com/gophish-powerrat-dcrat/", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], @@ -53688,7 +53751,7 @@ } ], "uuid": "81325ce1-be01-4250-944f-b4789644556f", - "value": "Suspicious Schtasks From Env Var Folder" + "value": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" }, { "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", @@ -53703,8 +53766,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" ], "tags": [ @@ -53780,8 +53843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ @@ -53815,8 +53878,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], @@ -53892,9 +53955,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -53950,8 +54013,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml" ], "tags": [ @@ -53984,8 +54047,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml" ], "tags": [ @@ -54018,9 +54081,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", - "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", + "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" ], @@ -54054,9 +54117,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://twitter.com/countuponsec/status/910969424215232518", + "https://twitter.com/countuponsec/status/910977826853068800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -54090,9 +54153,9 @@ "logsource.product": "windows", "refs": [ "https://www.elastic.co/security-labs/operation-bleeding-bear", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ @@ -54267,8 +54330,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1206692239839289344", "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", + "https://twitter.com/0gtweet/status/1206692239839289344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -54443,9 +54506,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -54513,8 +54576,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" ], "tags": [ @@ -54537,13 +54600,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -54579,10 +54642,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1206874118282448897", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -54615,8 +54678,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" ], "tags": [ @@ -54683,9 +54746,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -54752,8 +54815,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/logman.html", "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -54919,9 +54982,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" ], "tags": [ @@ -54997,8 +55060,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/cmd.html", "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ @@ -55166,9 +55229,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -55368,9 +55431,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ @@ -55404,8 +55467,8 @@ "logsource.product": "windows", "refs": [ "https://mez0.cc/posts/cobaltstrike-powershell-exec/", - "https://redcanary.com/blog/yellow-cockatoo/", "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://redcanary.com/blog/yellow-cockatoo/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], @@ -55498,8 +55561,8 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" ], @@ -55533,9 +55596,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/RiccardoAncarani/LiquidSnake", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -55679,9 +55742,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://cydefops.com/vscode-data-exfiltration", + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml" ], "tags": [ @@ -55714,8 +55777,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml" ], @@ -55749,8 +55812,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml" ], "tags": [ @@ -55970,11 +56033,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", - "https://youtu.be/n2dFlSaBBKo", - "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", - "https://github.com/looCiprian/GC2-sheet", "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", + "https://github.com/looCiprian/GC2-sheet", + "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", + "https://youtu.be/n2dFlSaBBKo", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml" ], "tags": [ @@ -56041,8 +56104,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -56109,8 +56172,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/rapid7/metasploit-framework/issues/11337", - "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", "https://portmap.io/", + "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml" ], "tags": [ @@ -56187,8 +56250,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide", "https://corelight.com/blog/detecting-cve-2021-42292", + "https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml" ], "tags": [ @@ -56256,8 +56319,8 @@ "logsource.product": "windows", "refs": [ "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", - "Internal Research", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml" ], "tags": [ @@ -56458,11 +56521,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/1032799638213066752", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" ], "tags": [ @@ -56564,8 +56627,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml" ], @@ -56600,8 +56663,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", - "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", + "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", "https://tria.ge/240301-rk34sagf5x/behavioral2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" ], @@ -56658,10 +56721,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://ngrok.com/blog-post/new-ngrok-domains", + "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", - "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", - "https://ngrok.com/blog-post/new-ngrok-domains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], "tags": [ @@ -56694,8 +56757,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md", + "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml" ], "tags": [ @@ -56728,9 +56791,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.poolwatch.io/coin/monero", "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", - "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml" ], "tags": [ @@ -56839,8 +56902,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", + "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml" @@ -56883,8 +56946,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml" ], "tags": [ @@ -56985,8 +57048,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://localtonet.com/documents/supported-tunnels", "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications", + "https://localtonet.com/documents/supported-tunnels", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml" ], "tags": [ @@ -57180,8 +57243,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/forensicitguy/status/1513538712986079238", "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", + "https://twitter.com/forensicitguy/status/1513538712986079238", "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], @@ -57215,10 +57278,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", - "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml" ], "tags": [ @@ -57353,12 +57416,12 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/kleiton0x00/RedditC2", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/", + "https://github.com/kleiton0x00/RedditC2", "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://twitter.com/kleiton0x7e/status/1600567316810551296", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml" ], "tags": [ @@ -57519,8 +57582,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -57621,8 +57684,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" ], "tags": [ @@ -57656,10 +57719,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -57763,8 +57826,8 @@ "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ @@ -57799,8 +57862,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker", + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -58032,9 +58095,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" ], "tags": [ @@ -58222,8 +58285,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -58275,8 +58338,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/duzvik/status/1269671601852813320", "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://twitter.com/duzvik/status/1269671601852813320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -58451,9 +58514,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -58652,9 +58715,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -58722,8 +58785,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://adsecurity.org/?p=3458", + "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -58917,8 +58980,8 @@ "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", - "https://twitter.com/SBousseaden/status/1490608838701166596", "https://www.x86matthew.com/view_post?id=create_svc_rpc", + "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -58951,8 +59014,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625", "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -59029,8 +59092,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -59205,10 +59268,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": [ @@ -59231,8 +59294,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" @@ -59375,8 +59438,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": [ @@ -59442,9 +59505,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": [ @@ -59578,8 +59641,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], @@ -59680,8 +59743,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trustedsec.com/blog/art_of_kerberoast/", "https://adsecurity.org/?p=3513", + "https://www.trustedsec.com/blog/art_of_kerberoast/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml" ], "tags": [ @@ -59714,16 +59777,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://bunnyinside.com/?term=f71e8cb9c76a", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -59806,9 +59869,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html", - "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -59883,9 +59946,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=3466", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -60027,8 +60090,8 @@ "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -60080,8 +60143,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -60114,10 +60177,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -60292,9 +60355,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -60354,8 +60417,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -60388,8 +60451,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -60422,8 +60485,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=2053", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -60456,8 +60519,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -60490,9 +60553,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616", "Live environment caused by malware", + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -60558,9 +60621,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", - "https://github.com/deepinstinct/NoFilter", "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", + "https://github.com/deepinstinct/NoFilter", + "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml" ], @@ -60719,8 +60782,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], @@ -60755,9 +60818,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://twitter.com/Flangvik/status/1283054508084473861", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], @@ -60866,9 +60929,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -60901,9 +60964,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": [ @@ -60936,8 +60999,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml" ], "tags": [ @@ -61291,9 +61354,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -61667,10 +61730,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -61704,8 +61767,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -62039,8 +62102,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://twitter.com/menasec1/status/1111556090137903104", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -62073,8 +62136,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": [ @@ -62251,9 +62314,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -62289,8 +62352,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -62356,8 +62419,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673", + "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -62391,10 +62454,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/sensepost/ruler", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", - "https://github.com/sensepost/ruler/issues/47", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", + "https://github.com/sensepost/ruler/issues/47", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -62714,8 +62777,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", + "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" ], "tags": [ @@ -62984,8 +63047,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -63104,8 +63167,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", + "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml" ], "tags": [ @@ -63198,11 +63261,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -63355,11 +63418,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -63393,10 +63456,10 @@ "logsource.product": "windows", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -63429,9 +63492,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/amjcyber/EDRNoiseMaker", - "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/netero1010/EDRSilencer", + "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", + "https://github.com/amjcyber/EDRNoiseMaker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" ], "tags": [ @@ -63675,9 +63738,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", - "https://twitter.com/SBousseaden/status/1483810148602814466", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -63700,9 +63763,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1590434950335320065", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ @@ -64298,9 +64361,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/KevTheHermit/status/1410203844064301056", - "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", + "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], "tags": [ @@ -64366,8 +64429,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -64401,9 +64464,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml" ], "tags": [ @@ -64436,8 +64499,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands", "https://twitter.com/duff22b/status/1280166329660497920", + "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml" ], "tags": [ @@ -64546,9 +64609,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" ], "tags": [ @@ -64581,8 +64644,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -64638,9 +64701,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" ], "tags": [ @@ -64740,8 +64803,8 @@ "logsource.product": "windows", "refs": [ "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], "tags": [ @@ -64774,9 +64837,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "Internal Research", - "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -64809,8 +64872,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -64843,8 +64906,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml" ], "tags": [ @@ -64911,10 +64974,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -64989,8 +65052,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], @@ -65124,11 +65187,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://www.youtube.com/watch?v=ebmW42YYveI", "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://www.youtube.com/watch?v=ebmW42YYveI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -65207,8 +65270,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -65278,9 +65341,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -65303,8 +65366,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -65559,8 +65622,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/pull/4467", + "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml" ], "tags": [ @@ -65593,8 +65656,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/pull/4467", + "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml" ], "tags": [ @@ -65625,11 +65688,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://ipurple.team/2024/07/15/sharphound-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], @@ -65746,8 +65809,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)", + "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml" ], "tags": [ @@ -65902,8 +65965,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secura.com/blog/zero-logon", "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://www.secura.com/blog/zero-logon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -66145,9 +66208,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", "https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296", - "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml" ], "tags": [ @@ -66476,8 +66539,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -66651,8 +66714,8 @@ "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -67231,8 +67294,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -67522,8 +67585,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml" ], "tags": [ @@ -67599,9 +67662,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1347958161609809921", - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://twitter.com/jonasLyk/status/1347900440000811010", + "https://twitter.com/wdormann/status/1347958161609809921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -67667,8 +67730,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -67852,8 +67915,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)", + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml" ], "tags": [ @@ -67920,8 +67983,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml" ], "tags": [ @@ -67956,8 +68019,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -67991,9 +68054,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -68108,11 +68171,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://winaero.com/enable-openssh-server-windows-10/", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -68145,9 +68208,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_added.yml" ], @@ -68190,8 +68253,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/", "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml" ], @@ -68233,9 +68296,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml" ], @@ -68278,8 +68341,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging", "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml" ], @@ -68321,9 +68384,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", - "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", + "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", + "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -68380,8 +68443,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -68616,9 +68679,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -68665,10 +68728,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -68691,10 +68754,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -68717,10 +68780,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -68743,10 +68806,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -69040,11 +69103,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://hijacklibs.net/", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -69296,9 +69359,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/", - "https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python", "https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/", + "https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python", + "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_python.yml" ], "tags": [ @@ -69331,8 +69394,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], @@ -69463,9 +69526,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", - "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://twitter.com/dez_/status/986614411711442944", + "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -69573,12 +69636,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://github.com/Wh04m1001/SysmonEoP", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://github.com/Wh04m1001/SysmonEoP", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -69622,10 +69685,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" ], "tags": [ @@ -69733,10 +69796,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/tyranid/DotNetToJScript", "https://thewover.github.io/Introducing-Donut/", + "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -69770,8 +69833,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", "https://www.qurium.org/alerts/targeted-malware-against-crph/", + "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml" ], "tags": [ @@ -69879,8 +69942,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", + "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" ], "tags": [ @@ -70032,8 +70095,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -70076,11 +70139,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", + "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", "https://twitter.com/DTCERT/status/1712785426895839339", "https://twitter.com/Max_Mal_/status/1775222576639291859", - "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", + "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml" ], "tags": [ @@ -70122,9 +70185,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], @@ -70609,9 +70672,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -70646,8 +70709,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/", "https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/", + "https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml" ], "tags": [ @@ -70755,8 +70818,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://twitter.com/wdormann/status/1547583317410607110", + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -70791,8 +70854,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll", "https://adsecurity.org/?p=2921", + "https://github.com/p3nt4/PowerShdll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -70825,8 +70888,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/ly4k/SpoolFool", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -70906,9 +70969,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", + "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ @@ -71035,9 +71098,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/t3ft3lb/status/1656194831830401024", - "https://www.roboform.com/", "https://twitter.com/StopMalvertisin/status/1648604148848549888", + "https://www.roboform.com/", + "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -71121,10 +71184,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/S12cybersecurity/RDPCredentialStealer", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", + "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -71301,8 +71364,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml" ], "tags": [ @@ -71553,8 +71616,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -71632,10 +71695,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" ], "tags": [ @@ -72335,8 +72398,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "Internal Research", "https://github.com/gabe-k/themebleed", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml" ], "tags": [ @@ -72414,9 +72477,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ + "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -72810,8 +72873,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -73010,8 +73073,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -73079,8 +73142,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -73217,8 +73280,8 @@ "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -73352,8 +73415,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -73647,8 +73710,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -73846,24 +73909,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/besimorhino/powercat", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/adrecon/ADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/samratashok/nishang", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/adrecon/AzureADRecon", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/besimorhino/powercat", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://adsecurity.org/?p=2921", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -74162,8 +74225,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -74197,8 +74260,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": [ @@ -74419,8 +74482,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -74486,8 +74549,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -74671,8 +74734,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -74850,8 +74913,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -75008,8 +75071,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -75042,8 +75105,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -75109,8 +75172,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://t.co/ezOTGy1a1G", "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -75298,8 +75361,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -75332,10 +75395,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -75433,8 +75496,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -75619,8 +75682,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.fortypoundhead.com/showcontent.asp?artid=24022", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml" ], "tags": [ @@ -75653,9 +75716,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -75688,8 +75751,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -75879,9 +75942,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -76145,9 +76208,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", + "https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml" ], "tags": [ @@ -76180,9 +76243,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://thedfirreport.com/2020/10/08/ryuks-return", "https://adsecurity.org/?p=2277", + "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], @@ -76249,9 +76312,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ @@ -76528,11 +76591,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], "tags": [ @@ -76692,8 +76755,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -76726,9 +76789,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -76919,8 +76982,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", + "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -77088,8 +77151,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", + "https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -77266,8 +77329,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -77335,8 +77398,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4", - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], "tags": [ @@ -77369,9 +77432,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -77427,8 +77490,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -77461,8 +77524,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -77561,8 +77624,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -77629,8 +77692,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", + "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -77966,8 +78029,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -78141,8 +78204,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -78175,9 +78238,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -78243,10 +78306,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", - "https://twitter.com/ScumBots/status/1610626724257046529", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://twitter.com/ScumBots/status/1610626724257046529", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -78280,8 +78343,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -78475,41 +78538,6 @@ "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", "value": "Remove Account From Domain Admin Group" }, - { - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "meta": { - "author": "frack113", - "creation_date": "2022-09-26", - "falsepositive": [ - "Legitimate script" - ], - "filename": "posh_ps_send_mailmessage.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", - "https://www.ietf.org/rfc/rfc2821.txt", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "related": [ - { - "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", - "value": "Powershell Exfiltration Over SMTP" - }, { "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", "meta": { @@ -78960,8 +78988,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb", "https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code", + "https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml" ], "tags": [ @@ -79126,23 +79154,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/PowerShellMafia/PowerSploit", - "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/besimorhino/powercat", - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/samratashok/nishang", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/NetSPI/PowerUpSQL", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/besimorhino/powercat", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -79175,8 +79203,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -79285,24 +79313,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/besimorhino/powercat", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/adrecon/ADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/samratashok/nishang", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/adrecon/AzureADRecon", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/besimorhino/powercat", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://adsecurity.org/?p=2921", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -79651,9 +79679,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -79879,8 +79907,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -79938,8 +79966,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml" ], "tags": [ @@ -79973,17 +80001,17 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/fortra/nanodump", - "https://github.com/xuanxuan0/DripLoader", - "https://github.com/antonioCoco/RoguePotato", - "https://github.com/ohpe/juicy-potato", - "https://github.com/codewhitesec/HandleKatz", - "https://github.com/hfiref0x/UACME", "https://github.com/outflanknl/Dumpert", "https://github.com/topotam/PetitPotam", - "https://www.tarasco.org/security/pwdump_7/", + "https://github.com/antonioCoco/RoguePotato", + "https://github.com/codewhitesec/HandleKatz", "https://github.com/gentilkiwi/mimikatz", + "https://github.com/fortra/nanodump", + "https://github.com/xuanxuan0/DripLoader", + "https://github.com/ohpe/juicy-potato", "https://github.com/wavestone-cdt/EDRSandblast", + "https://github.com/hfiref0x/UACME", + "https://www.tarasco.org/security/pwdump_7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ @@ -80134,9 +80162,9 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" ], "tags": [ @@ -80204,8 +80232,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/", + "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" ], @@ -80319,10 +80347,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -80528,9 +80556,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1541920424635912196", - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], "tags": [ @@ -80563,8 +80591,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" ], "tags": [ @@ -80868,8 +80896,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1460597833917251595", - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" ], "tags": [ @@ -80903,11 +80931,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" ], "tags": [ @@ -81256,10 +81284,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", - "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -81299,9 +81327,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/nknorg/nkn-sdk-go", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://github.com/nknorg/nkn-sdk-go", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -81428,8 +81456,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://twitter.com/neu5ron/status/1438987292971053057?s=20", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ @@ -81546,11 +81574,11 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/corelight/CVE-2021-1675", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://github.com/corelight/CVE-2021-1675", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], @@ -81579,9 +81607,9 @@ "logsource.product": "zeek", "refs": [ "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://twitter.com/neu5ron/status/1346245602502443009", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://twitter.com/neu5ron/status/1346245602502443009", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -81738,9 +81766,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -81962,8 +81990,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609", "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html", + "https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" ], "tags": [ @@ -82579,8 +82607,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -82613,8 +82641,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -82653,6 +82681,7 @@ "tags": [ "attack.impact", "attack.t1496", + "attack.exfiltration", "attack.t1567" ] }, @@ -82689,9 +82718,9 @@ "logsource.product": "No established product", "refs": [ "https://core.telegram.org/bots/faq", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -82820,9 +82849,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": [ @@ -82913,11 +82942,11 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", - "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml" ], "tags": [ @@ -82951,10 +82980,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", - "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", + "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", + "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml" ], "tags": [ @@ -83029,9 +83058,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.spamhaus.org/statistics/tlds/", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.spamhaus.org/statistics/tlds/", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], @@ -83195,12 +83224,12 @@ "refs": [ "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://perishablepress.com/blacklist/ua-2013.txt", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", "https://twitter.com/crep1x/status/1635034100213112833", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -83336,8 +83365,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -83370,9 +83399,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", - "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://blog.talosintelligence.com/ipfs-abuse/", + "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", + "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -83455,8 +83484,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], @@ -83532,8 +83561,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-ip-scanner.com/", "https://www.advanced-port-scanner.com/", + "https://www.advanced-ip-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml" ], "tags": [ @@ -83727,8 +83756,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -83903,9 +83932,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -84090,11 +84119,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -84129,8 +84158,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", "https://github.com/sensepost/reGeorg", + "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" ], "tags": [ @@ -84163,8 +84192,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/pimps/JNDI-Exploit-Kit", + "https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": [ @@ -84233,8 +84262,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], @@ -84303,8 +84332,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], @@ -84339,8 +84368,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -84375,11 +84404,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", - "https://github.com/payloadbox/sql-injection-payload-list", - "https://brightsec.com/blog/sql-injection-payloads/", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", + "https://github.com/payloadbox/sql-injection-payload-list", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ @@ -84481,9 +84510,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", - "https://www.exploit-db.com/exploits/19525", "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://www.exploit-db.com/exploits/19525", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -84616,9 +84645,9 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", - "https://rules.sonarsource.com/java/RSPEC-2755", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", + "https://rules.sonarsource.com/java/RSPEC-2755", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -84719,8 +84748,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -84786,10 +84815,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://edgeguides.rubyonrails.org/security.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://guides.rubyonrails.org/action_controller_overview.html", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -84823,8 +84852,8 @@ "logsource.category": "application", "logsource.product": "velocity", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://antgarsil.github.io/posts/velocity/", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ @@ -84890,8 +84919,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", + "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -84957,8 +84986,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_smb_file_open.yml" ], "tags": [ @@ -85000,8 +85029,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_vnc_connection_attempt.yml" ], "tags": [ @@ -85034,8 +85063,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_new_connection.yml" ], "tags": [ @@ -85086,8 +85115,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_tftp_request.yml" ], "tags": [ @@ -85120,8 +85149,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ftp_login_attempt.yml" ], "tags": [ @@ -85163,8 +85192,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml" ], "tags": [ @@ -85198,8 +85227,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_post_login_attempt.yml" ], "tags": [ @@ -85232,8 +85261,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_git_clone_request.yml" ], "tags": [ @@ -85266,8 +85295,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_snmp_cmd.yml" ], "tags": [ @@ -85309,8 +85338,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_sip_request.yml" ], "tags": [ @@ -85343,8 +85372,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_login_attempt.yml" ], "tags": [ @@ -85395,8 +85424,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mysql_login_attempt.yml" ], "tags": [ @@ -85438,8 +85467,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_redis_command.yml" ], "tags": [ @@ -85481,8 +85510,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml" ], "tags": [ @@ -85524,8 +85553,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_telnet_login_attempt.yml" ], "tags": [ @@ -85567,8 +85596,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_winauth.yml" ], "tags": [ @@ -85610,8 +85639,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_get.yml" ], "tags": [ @@ -85644,8 +85673,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ntp_monlist.yml" ], "tags": [ @@ -86064,10 +86093,10 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", - "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", + "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" ], "tags": [ @@ -86131,8 +86160,8 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", + "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml" ], "tags": [ @@ -86188,10 +86217,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -86214,10 +86243,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -86240,9 +86269,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -86283,10 +86312,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -86327,10 +86356,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -86371,10 +86400,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/zeronetworks/rpcfirewall", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -86407,12 +86436,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -86435,10 +86464,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -86479,9 +86508,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], @@ -86517,8 +86546,8 @@ "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -86551,10 +86580,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -86577,10 +86606,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -86613,10 +86642,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -86639,10 +86668,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -86665,10 +86694,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -86691,10 +86720,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -86726,8 +86755,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -86761,8 +86790,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml" ], "tags": [ @@ -86796,8 +86825,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/xattr/", "https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md", + "https://www.loobins.io/binaries/xattr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" ], "tags": [ @@ -86830,9 +86859,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://ss64.com/osx/csrutil.html", "https://objective-see.org/blog/blog_0x6D.html", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", - "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" ], @@ -87007,9 +87036,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], @@ -87043,8 +87072,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", + "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], @@ -87102,8 +87131,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/tmutil/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", + "https://www.loobins.io/binaries/tmutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml" ], "tags": [ @@ -87136,9 +87165,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/MythicAgents/typhon/", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", + "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -87161,8 +87190,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos", "https://ss64.com/osx/dseditgroup.html", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml" ], "tags": [ @@ -87197,8 +87226,8 @@ "logsource.product": "macos", "refs": [ "https://www.loobins.io/binaries/launchctl/", - "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", + "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" @@ -87250,9 +87279,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://www.loobins.io/binaries/hdiutil/", "https://ss64.com/mac/hdiutil.html", + "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml" ], "tags": [ @@ -87275,8 +87304,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml" ], "tags": [ @@ -87345,8 +87374,8 @@ "logsource.product": "macos", "refs": [ "https://ss64.com/osx/sw_vers.html", - "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", + "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" ], "tags": [ @@ -87379,9 +87408,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/MythicAgents/typhon/", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", + "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -87439,9 +87468,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://ss64.com/osx/dsenableroot.html", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -87557,9 +87586,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/firmwarepasswd/", - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://www.manpagez.com/man/8/firmwarepasswd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -87582,9 +87611,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://www.loobins.io/binaries/hdiutil/", "https://ss64.com/mac/hdiutil.html", + "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml" ], "tags": [ @@ -87658,8 +87687,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -87758,13 +87787,13 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://www.loobins.io/binaries/sysctl/#", - "https://objective-see.org/blog/blog_0x1E.html", - "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", - "https://evasions.checkpoint.com/techniques/macos.html", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://evasions.checkpoint.com/techniques/macos.html", "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", + "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", + "https://objective-see.org/blog/blog_0x1E.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml" ], "tags": [ @@ -87942,8 +87971,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://objective-see.org/blog/blog_0x4B.html", "https://redcanary.com/blog/applescript/", + "https://objective-see.org/blog/blog_0x4B.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" ], "tags": [ @@ -88067,8 +88096,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -88134,9 +88163,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://ss64.com/osx/csrutil.html", "https://objective-see.org/blog/blog_0x6D.html", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", - "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" ], @@ -88203,8 +88232,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -88340,8 +88369,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" ], "tags": [ @@ -88475,8 +88504,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -88532,8 +88561,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" ], "tags": [ @@ -88583,9 +88612,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", - "https://www.loobins.io/binaries/nscurl/", "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl", + "https://www.loobins.io/binaries/nscurl/", + "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml" ], "tags": [ @@ -88686,8 +88715,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://gist.github.com/Capybara/6228955", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", + "https://gist.github.com/Capybara/6228955", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -88753,11 +88782,11 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://ss64.com/mac/system_profiler.html", "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", "https://objective-see.org/blog/blog_0x62.html", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://ss64.com/mac/system_profiler.html", "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], @@ -88833,10 +88862,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/mac/chflags.html", - "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", + "https://ss64.com/mac/chflags.html", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml" ], "tags": [ @@ -88926,8 +88955,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/tmutil/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", + "https://www.loobins.io/binaries/tmutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml" ], "tags": [ @@ -89135,8 +89164,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/tmutil/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", + "https://www.loobins.io/binaries/tmutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml" ], "tags": [ @@ -89257,8 +89286,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", + "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_disabled.yml" ], "tags": [ @@ -89324,8 +89353,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml" ], "tags": [ @@ -89400,9 +89429,9 @@ "logsource.product": "github", "refs": [ "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise", - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -89470,9 +89499,9 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ + "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", "https://docs.github.com/en/migrations", "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", - "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_repo_or_org_transferred.yml" ], @@ -89584,8 +89613,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities", "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority", + "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_ssh_certificate_config_changed.yml" ], "tags": [ @@ -89619,8 +89648,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", + "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_bypass_detected.yml" ], "tags": [ @@ -89763,8 +89792,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -89787,8 +89816,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml" ], "tags": [ @@ -89821,8 +89850,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -89903,9 +89932,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", - "https://developer.okta.com/docs/reference/api/system-log/", "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -89938,8 +89967,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -89962,8 +89991,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -89986,8 +90015,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", "https://developer.okta.com/docs/reference/api/system-log/", + "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -90020,9 +90049,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": [ @@ -90045,8 +90074,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -90069,8 +90098,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -90093,8 +90122,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -90127,8 +90156,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -90151,8 +90180,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml" ], "tags": [ @@ -90185,9 +90214,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -90220,8 +90249,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -90244,8 +90273,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -90270,8 +90299,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -90294,8 +90323,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -90330,8 +90359,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml" ], "tags": [ @@ -90609,8 +90638,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -90770,8 +90799,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" ], "tags": [ @@ -90830,9 +90859,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", - "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ @@ -90982,9 +91011,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -91109,8 +91138,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://github.com/elastic/detection-rules/pull/1214", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml" ], "tags": [ @@ -91160,9 +91189,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", - "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ @@ -91370,9 +91399,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/", "https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml" ], "tags": [ @@ -91456,9 +91485,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -91647,13 +91676,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -92067,8 +92096,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/access-context-manager/docs/audit-logging", "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", + "https://cloud.google.com/access-context-manager/docs/audit-logging", "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], @@ -92296,11 +92325,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://github.com/elastic/detection-rules/pull/1267", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -92418,9 +92447,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -92443,8 +92472,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -92467,9 +92496,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -92492,8 +92521,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://support.google.com/a/answer/9261439", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", + "https://support.google.com/a/answer/9261439", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml" ], "tags": [ @@ -92527,8 +92556,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -92561,8 +92590,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -92595,8 +92624,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -93161,11 +93190,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.sygnia.co/golden-saml-advisory", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://o365blog.com/post/aadbackdoor/", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://www.sygnia.co/golden-saml-advisory", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ @@ -93265,8 +93294,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -93299,8 +93328,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -93333,8 +93362,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -93367,8 +93396,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -93401,8 +93430,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -93435,8 +93464,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -93492,8 +93521,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -93526,8 +93555,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -93560,8 +93589,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -93584,8 +93613,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -93618,8 +93647,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -93685,8 +93714,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -94342,8 +94371,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy", "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities", + "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml" ], "tags": [ @@ -94402,8 +94431,8 @@ "logsource.product": "azure", "refs": [ "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487", - "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", "https://twitter.com/NathanMcNulty/status/1785051227568632263", + "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml" ], "tags": [ @@ -95986,8 +96015,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ @@ -96230,8 +96259,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml" ], "tags": [ @@ -96372,9 +96401,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ @@ -96410,8 +96439,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" ], "tags": [ @@ -96444,8 +96473,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ @@ -96512,8 +96541,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml" ], "tags": [ @@ -96580,8 +96609,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml" ], "tags": [ @@ -96643,11 +96672,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -96696,11 +96725,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -96723,11 +96752,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -97312,11 +97341,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -97424,11 +97453,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -97576,11 +97605,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -97614,11 +97643,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -97898,10 +97927,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -97936,8 +97965,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -98214,9 +98243,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -98237,10 +98266,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": [ @@ -98263,9 +98292,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": [ @@ -98321,9 +98350,9 @@ "value": "Suspicious SQL Query" }, { - "description": "Detects a highly relevant Antivirus alert that reports a password dumper.", + "description": "Detects a highly relevant Antivirus alert that reports a password dumper.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018-09-09", "falsepositive": [ "Unlikely" @@ -98380,7 +98409,7 @@ "value": "Antivirus Password Dumper Detection" }, { - "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name.", + "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018-09-09", @@ -98413,7 +98442,7 @@ "value": "Antivirus Relevant File Paths Alerts" }, { - "description": "Detects a highly relevant Antivirus alert that reports ransomware.", + "description": "Detects a highly relevant Antivirus alert that reports ransomware.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2022-05-12", @@ -98425,11 +98454,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", + "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", + "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05", "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], @@ -98450,7 +98480,7 @@ "value": "Antivirus Ransomware Detection" }, { - "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.", + "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2021-08-16", @@ -98484,7 +98514,7 @@ "value": "Antivirus Hacktool Detection" }, { - "description": "Detects a highly relevant Antivirus alert that reports a web shell.\nIt's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\n", + "description": "Detects a highly relevant Antivirus alert that reports a web shell.\nIt's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018-09-09", @@ -98496,16 +98526,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://github.com/tennc/webshell", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -98526,7 +98556,7 @@ "value": "Antivirus Web Shell Detection" }, { - "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework.", + "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018-09-09", @@ -98538,9 +98568,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], @@ -98639,8 +98669,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -98674,10 +98704,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -98734,10 +98764,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -98860,8 +98890,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Self Experience", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -98937,9 +98967,9 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -99114,10 +99144,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://mn3m.info/posts/suid-vs-capabilities/", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://man7.org/linux/man-pages/man8/getcap.8.html", - "https://mn3m.info/posts/suid-vs-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -99636,8 +99666,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", + "https://linux.die.net/man/1/arecord", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ @@ -99670,10 +99700,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://linux.die.net/man/1/chage", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -99807,8 +99837,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://linux.die.net/man/1/import", "https://imagemagick.org/", + "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -99841,8 +99871,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", + "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], @@ -99911,8 +99941,8 @@ "logsource.product": "linux", "refs": [ "https://objective-see.org/blog/blog_0x68.html", - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack", + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], "tags": [ @@ -100340,9 +100370,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://linux.die.net/man/8/insmod", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://man7.org/linux/man-pages/man8/kmod.8.html", - "https://linux.die.net/man/8/insmod", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -100475,8 +100505,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", + "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", "https://regex101.com/r/RugQYK/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" @@ -100568,10 +100598,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/awk/#shell", - "https://gtfobins.github.io/gtfobins/gawk/#shell", - "https://gtfobins.github.io/gtfobins/nawk/#shell", "https://gtfobins.github.io/gtfobins/mawk/#shell", + "https://gtfobins.github.io/gtfobins/awk/#shell", + "https://gtfobins.github.io/gtfobins/nawk/#shell", + "https://gtfobins.github.io/gtfobins/gawk/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml" ], "tags": [ @@ -100592,7 +100622,7 @@ "value": "Suspicious Invocation of Shell via AWK - Linux" }, { - "description": "Detects executing python with keywords related to network activity that could indicate a potential reverse shell", + "description": "Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.\n", "meta": { "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-24", @@ -100604,7 +100634,6 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml" ], @@ -100613,7 +100642,7 @@ ] }, "uuid": "32e62bc7-3de0-4bb1-90af-532978fe42c0", - "value": "Potential Python Reverse Shell" + "value": "Python Reverse Shell Execution Via PTY And Socket Modules" }, { "description": "Detects the creation of a new named pipe using the \"mkfifo\" utility", @@ -100718,8 +100747,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" ], "tags": [ @@ -100859,8 +100888,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/nice/#shell", "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/nice/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml" ], "tags": [ @@ -100968,8 +100997,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -101002,10 +101031,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -101071,8 +101100,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -101123,9 +101152,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Tib3rius/AutoRecon", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", "https://github.com/projectdiscovery/naabu", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/Tib3rius/AutoRecon", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], "tags": [ @@ -101158,8 +101187,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" ], "tags": [ @@ -101292,9 +101321,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://linux.die.net/man/1/bash", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], "tags": [ @@ -101383,10 +101412,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -101444,8 +101473,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://bpftrace.org/", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -101478,8 +101507,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml" ], "tags": [ @@ -101547,8 +101576,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ @@ -101758,8 +101787,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml" ], "tags": [ @@ -101800,10 +101829,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -101885,10 +101914,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -102050,9 +102079,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -102094,8 +102123,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/capsh/#shell", "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/capsh/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml" ], "tags": [ @@ -102128,9 +102157,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ @@ -102196,9 +102225,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ @@ -102265,8 +102294,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ @@ -102299,10 +102328,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linux.die.net/man/8/groupdel", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://linux.die.net/man/8/groupdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -102358,10 +102387,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/userdel", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -102394,10 +102423,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -102420,8 +102449,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/find/#shell", "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/find/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml" ], "tags": [ @@ -102488,8 +102517,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ @@ -102566,14 +102595,14 @@ "logsource.product": "linux", "refs": [ "https://github.com/Pennyw0rth/NetExec/", - "https://github.com/Ne0nd0g/merlin", - "https://github.com/HavocFramework/Havoc", - "https://github.com/pathtofile/bad-bpf", - "https://github.com/1N3/Sn1per", - "https://github.com/carlospolop/PEASS-ng", - "https://github.com/t3l3machus/Villain", - "https://github.com/Gui774ume/ebpfkit", "https://github.com/t3l3machus/hoaxshell", + "https://github.com/HavocFramework/Havoc", + "https://github.com/t3l3machus/Villain", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/pathtofile/bad-bpf", + "https://github.com/Gui774ume/ebpfkit", + "https://github.com/Ne0nd0g/merlin", + "https://github.com/1N3/Sn1per", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -102707,9 +102736,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ @@ -102742,8 +102771,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml" ], "tags": [ @@ -102842,8 +102871,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -102877,8 +102906,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blog.skyplabs.net/posts/container-detection/", "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", + "https://blog.skyplabs.net/posts/container-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml" ], "tags": [ @@ -102911,8 +102940,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml" ], "tags": [ @@ -102968,10 +102997,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://gtfobins.github.io/gtfobins/gcc/#shell", + "https://gtfobins.github.io/gtfobins/c89/#shell", "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/c99/#shell", - "https://gtfobins.github.io/gtfobins/c89/#shell", - "https://gtfobins.github.io/gtfobins/gcc/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml" ], "tags": [ @@ -103005,8 +103034,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blog.skyplabs.net/posts/container-detection/", "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", + "https://blog.skyplabs.net/posts/container-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml" ], "tags": [ @@ -103072,9 +103101,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", - "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml" ], "tags": [ @@ -103107,11 +103136,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://curl.se/docs/manpage.html", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://twitter.com/d1r4c/status/1279042657508081664", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -103251,8 +103280,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml" ], "tags": [ @@ -103275,9 +103304,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://en.wikipedia.org/wiki/Nohup", "https://gtfobins.github.io/gtfobins/nohup/", "https://www.computerhope.com/unix/unohup.htm", - "https://en.wikipedia.org/wiki/Nohup", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -103410,8 +103439,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -103462,8 +103491,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" ], @@ -103539,11 +103568,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", - "https://www.infosecademy.com/netcat-reverse-shells/", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.infosecademy.com/netcat-reverse-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -103597,7 +103626,7 @@ "value": "Connection Proxy" }, { - "description": "Detects python spawning a pretty tty which could be indicative of potential reverse shell activity", + "description": "Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.\n", "meta": { "author": "Nextron Systems", "creation_date": "2022-06-03", @@ -103605,7 +103634,7 @@ "Unknown" ], "filename": "proc_creation_lnx_python_pty_spawn.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ @@ -103627,7 +103656,7 @@ } ], "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", - "value": "Python Spawning Pretty TTY" + "value": "Python Spawning Pretty TTY Via PTY Module" }, { "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", @@ -103775,10 +103804,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -103834,8 +103863,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://bpftrace.org/", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], @@ -103927,10 +103956,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -103963,9 +103992,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -104065,10 +104094,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxhint.com/uninstall_yum_package/", - "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://linuxhint.com/uninstall-debian-packages/", + "https://linuxhint.com/uninstall_yum_package/", + "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -104125,8 +104154,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blog.skyplabs.net/posts/container-detection/", "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", + "https://blog.skyplabs.net/posts/container-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml" ], "tags": [ @@ -104192,8 +104221,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -104302,8 +104331,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://localtonet.com/documents/supported-tunnels", "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications", + "https://localtonet.com/documents/supported-tunnels", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml" ], "tags": [ @@ -104486,11 +104515,11 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", - "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", - "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", + "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", + "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", + "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" ], "tags": [ @@ -104557,8 +104586,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", + "https://book.hacktricks.xyz/shells/shells/linux", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], @@ -104582,8 +104611,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://redcanary.com/blog/ebpf-malware/", + "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" ], "tags": [ @@ -104706,10 +104735,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://artkond.com/2017/03/23/pivoting-guide/", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -104942,8 +104971,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], @@ -105134,9 +105163,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -105310,8 +105339,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -105398,5 +105427,5 @@ "value": "Modifying Crontab" } ], - "version": 20241017 + "version": 20241104 } From cf6b886e2ff7ba42259521d852271e1f5f6ad97c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 5 Nov 2024 14:07:23 +0100 Subject: [PATCH 21/21] chg: [ransomware] group updated --- clusters/ransomware.json | 54 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 8c15a5d..2241e68 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -27672,7 +27672,8 @@ "http://lbbpoq6d2jglpw7dxarr6oaakgnlxt5nmrza5ojlufsuffuzexajsuyd.onion/", "http://lbbp2rsfcmg5durpwgs22wxrdngsa4wiwmc4xk6hgmuluy6bvbvvtlid.onion/", "http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/", - "http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion/ec_page3.php" + "http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion/ec_page3.php", + "http://lockbitfnszjao7hayqsd424m74k5jxc52hozvabjrut7pjfsfaaaoad.onion" ], "refs": [ "https://threatpost.com/lockbit-ransomware-proliferates-globally/168746", @@ -28355,7 +28356,14 @@ "meta": { "links": [ "http://eraleignews.com/", - "http://wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion/" + "http://wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion/", + "http://basheqtvzqwz4vp6ks5lm2ocq7i6tozqgf6vjcasj4ezmsy4bkpshhyd.onion/", + "http://bashe4aec32kr6zbifwd5x6xgjsmhg4tbowrbx4pneqhc5mqooyifpid.onion/", + "http://basheqtvzqwz4vp6ks5lm2ocq7i6tozqgf6vjcasj4ezmsy4bkpshhyd.onion", + "http://basherq53eniermxovo3bkduw5qqq5bkqcml3qictfmamgvmzovykyqd.onion", + "http://basherykagbxoaiaxkgqhmhd5gbmedwb3di4ig3ouovziagosv4n77qd.onion", + "http://bashete63b3gcijfofpw6fmn3rwnmyi5aclp55n6awcfbexivexbhyad.onion", + "http://bashex7mokreyoxl6wlswxl4foi7okgs7or7aergnuiockuoq35yt3ad.onion" ], "refs": [ "https://www.ransomlook.io/group/eraleign (apt73)" @@ -29374,7 +29382,8 @@ "http://66ohzao6afsv2opk22r2kv6fbnf2fthe7v4ykzzc5vjezvvyf3gocwyd.onion/", "https://2nn4b6gihz5bttzabjegune3blwktad2zmy77fwutvvrxxodbufo6qid.onion/", "http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/", - "http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/api/blog/get" + "http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/api/blog/get", + "http://3o5ewrzhqoyodfs5kll4cjxagdfrpuu474panwobm4im7ejfpaux5jyd.onion/" ], "refs": [ "https://www.ransomlook.io/group/embargo" @@ -29904,7 +29913,44 @@ }, "uuid": "6a20c736-d83c-502f-8a9f-379a556fb4ac", "value": "interlock" + }, + { + "meta": { + "links": [ + "http://vlofmq2u3f5amxmnblvxaghy73aedwta74fyceywr6eeguw3cn6h6uad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/playboy" + ] + }, + "uuid": "4e672e18-c9e3-5b29-a500-8615a1b9c1a8", + "value": "playboy" + }, + { + "meta": { + "links": [ + "http://hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/hellcat" + ] + }, + "uuid": "f5ffee22-b5d1-5d55-8dd2-5db26d184cde", + "value": "hellcat" + }, + { + "meta": { + "links": [ + "http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id.onion/posts.php", + "http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/killsec3" + ] + }, + "uuid": "455c76ae-4abe-5237-90eb-87e9530e240c", + "value": "killsec3" } ], - "version": 137 + "version": 138 }