From a5fd2de2d9a7e867cc200079bcf4bdb4bce39688 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 28 Nov 2024 17:56:25 +0100 Subject: [PATCH] chg: [mitre attack] updated to the latest version --- README.md | 10 +- clusters/mitre-attack-pattern.json | 2147 +++++++++++-------- clusters/mitre-course-of-action.json | 343 +++- clusters/mitre-data-component.json | 250 ++- clusters/mitre-data-source.json | 53 +- clusters/mitre-intrusion-set.json | 2323 +++++++++++++++++++-- clusters/mitre-malware.json | 2854 +++++++++++++++++++++++++- clusters/mitre-tool.json | 240 ++- galaxies/mitre-attack-pattern.json | 41 +- 9 files changed, 7163 insertions(+), 1098 deletions(-) diff --git a/README.md b/README.md index fb7acee..78aec99 100644 --- a/README.md +++ b/README.md @@ -287,7 +287,7 @@ Category: *course-of-action* - source: *https://github.com/mitre-atlas/atlas-nav [Attack Pattern](https://www.misp-galaxy.org/mitre-attack-pattern) - ATT&CK tactic -Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1141* elements +Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1160* elements [[HTML](https://www.misp-galaxy.org/mitre-attack-pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)] @@ -295,7 +295,7 @@ Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *11 [Course of Action](https://www.misp-galaxy.org/mitre-course-of-action) - ATT&CK Mitigation -Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *281* elements +Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *282* elements [[HTML](https://www.misp-galaxy.org/mitre-course-of-action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-course-of-action.json)] @@ -375,7 +375,7 @@ Category: *attack-pattern* - source: *https://collaborate.mitre.org/attackics/in [Intrusion Set](https://www.misp-galaxy.org/mitre-intrusion-set) - Name of ATT&CK Group -Category: *actor* - source: *https://github.com/mitre/cti* - total: *165* elements +Category: *actor* - source: *https://github.com/mitre/cti* - total: *176* elements [[HTML](https://www.misp-galaxy.org/mitre-intrusion-set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)] @@ -383,7 +383,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *165* elemen [Malware](https://www.misp-galaxy.org/mitre-malware) - Name of ATT&CK software -Category: *tool* - source: *https://github.com/mitre/cti* - total: *705* elements +Category: *tool* - source: *https://github.com/mitre/cti* - total: *735* elements [[HTML](https://www.misp-galaxy.org/mitre-malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)] @@ -391,7 +391,7 @@ Category: *tool* - source: *https://github.com/mitre/cti* - total: *705* element [mitre-tool](https://www.misp-galaxy.org/mitre-tool) - Name of ATT&CK software -Category: *tool* - source: *https://github.com/mitre/cti* - total: *87* elements +Category: *tool* - source: *https://github.com/mitre/cti* - total: *90* elements [[HTML](https://www.misp-galaxy.org/mitre-tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)] diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index 7de54ac..8d23904 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -620,10 +620,10 @@ "Windows" ], "refs": [ - "http://msdn.microsoft.com/en-us/library/aa376977", "https://attack.mitre.org/techniques/T1547/001", "https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/", "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry", + "https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://technet.microsoft.com/en-us/sysinternals/bb963902" ] @@ -866,11 +866,11 @@ "Windows" ], "refs": [ - "http://msdn.microsoft.com/en-us/library/ms682425", - "http://msdn.microsoft.com/en-us/library/ms687393", "https://attack.mitre.org/techniques/T1574/008", "https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120", - "https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN" + "https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN", + "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa", + "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec" ] }, "related": [ @@ -1564,8 +1564,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1036/005", "https://docs.docker.com/engine/reference/commandline/images/", - "https://twitter.com/ItsReallyNick/status/1055321652777619457", - "https://www.elastic.co/blog/how-hunt-masquerade-ball" + "https://www.elastic.co/blog/how-hunt-masquerade-ball", + "https://x.com/ItsReallyNick/status/1055321652777619457" ] }, "related": [ @@ -1577,6 +1577,44 @@ "uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "value": "Match Legitimate Name or Location - T1036.005" }, + { + "description": "An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.\n\nOn Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003) for elevated privileges. \n\nIn Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)", + "meta": { + "external_id": "T1098.007", + "kill_chain": [ + "attack-Windows:persistence", + "attack-macOS:persistence", + "attack-Linux:persistence", + "attack-Windows:privilege-escalation", + "attack-macOS:privilege-escalation", + "attack-Linux:privilege-escalation" + ], + "mitre_data_sources": [ + "User Account: User Account Modification" + ], + "mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1098/007", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)", + "https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios", + "https://www.man7.org/linux/man-pages/man8/usermod.8.html" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "subtechnique-of" + } + ], + "uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "value": "Additional Local or Domain Groups - T1098.007" + }, { "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n", "meta": { @@ -1628,8 +1666,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1562/004", - "https://twitter.com/TheDFIRReport/status/1498657772254240768", - "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps" + "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", + "https://x.com/TheDFIRReport/status/1498657772254240768" ] }, "related": [ @@ -1642,7 +1680,7 @@ "value": "Disable or Modify System Firewall - T1562.004" }, { - "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.", + "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). ", "meta": { "external_id": "T1562.007", "kill_chain": [ @@ -1677,9 +1715,8 @@ "kill_chain": [ "attack-IaaS:defense-evasion", "attack-SaaS:defense-evasion", - "attack-Google-Workspace:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-Office-365:defense-evasion" + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion" ], "mitre_data_sources": [ "Cloud Service: Cloud Service Disable", @@ -1689,9 +1726,8 @@ "mitre_platforms": [ "IaaS", "SaaS", - "Google Workspace", - "Azure AD", - "Office 365" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1562/008", @@ -2366,7 +2402,9 @@ ], "mitre_data_sources": [ "Command: Command Execution", - "Process: Process Creation" + "Module: Module Load", + "Process: Process Creation", + "Process: Process Metadata" ], "mitre_platforms": [ "Windows" @@ -2898,8 +2936,7 @@ "kill_chain": [ "attack-IaaS:exfiltration", "attack-SaaS:exfiltration", - "attack-Google-Workspace:exfiltration", - "attack-Office-365:exfiltration" + "attack-Office-Suite:exfiltration" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -2914,8 +2951,7 @@ "mitre_platforms": [ "IaaS", "SaaS", - "Google Workspace", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1537", @@ -3028,11 +3064,9 @@ "external_id": "T1484", "kill_chain": [ "attack-Windows:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-SaaS:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-Windows:privilege-escalation", - "attack-Azure-AD:privilege-escalation", - "attack-SaaS:privilege-escalation" + "attack-Identity-Provider:privilege-escalation" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Creation", @@ -3043,13 +3077,12 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "SaaS" + "Identity Provider" ], "refs": [ - "http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/", "https://adsecurity.org/?p=2716", "https://attack.mitre.org/techniques/T1484", + "https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/", "https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365", "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", @@ -3096,9 +3129,9 @@ "Network" ], "refs": [ - "http://msdn.microsoft.com/en-us/library/aa376977", "https://attack.mitre.org/techniques/T1547", "https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order", + "https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", "https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx", "https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx", "https://technet.microsoft.com/en-us/sysinternals/bb963902", @@ -3138,14 +3171,14 @@ "value": "Remotely Track Device Without Authorization - T1468" }, { - "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)", + "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)", "meta": { "external_id": "T1649", "kill_chain": [ "attack-Windows:credential-access", "attack-Linux:credential-access", "attack-macOS:credential-access", - "attack-Azure-AD:credential-access" + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Active Directory: Active Directory Credential Request", @@ -3160,7 +3193,7 @@ "Windows", "Linux", "macOS", - "Azure AD" + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1649", @@ -3230,7 +3263,7 @@ "value": "Install Insecure or Malicious Configuration - T1478" }, { - "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\n", + "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n", "meta": { "external_id": "T1558", "kill_chain": [ @@ -3250,7 +3283,6 @@ "macOS" ], "refs": [ - "http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html", "https://adsecurity.org/?p=1515", "https://adsecurity.org/?p=227", "https://adsecurity.org/?p=2293", @@ -3260,12 +3292,7 @@ "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf", "https://docs.microsoft.com/windows-server/administration/windows-commands/klist", "https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285", - "https://github.com/gentilkiwi/kekeo", - "https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf", - "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea", - "https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f", - "https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html", - "https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html" + "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" ] }, "uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", @@ -3366,13 +3393,12 @@ "external_id": "T1621", "kill_chain": [ "attack-Windows:credential-access", - "attack-Office-365:credential-access", "attack-Linux:credential-access", "attack-macOS:credential-access", "attack-IaaS:credential-access", "attack-SaaS:credential-access", - "attack-Azure-AD:credential-access", - "attack-Google-Workspace:credential-access" + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -3382,13 +3408,12 @@ ], "mitre_platforms": [ "Windows", - "Office 365", "Linux", "macOS", "IaaS", "SaaS", - "Azure AD", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1621", @@ -3430,6 +3455,39 @@ "uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3", "value": "Rogue Wi-Fi Access Points - T1465" }, + { + "description": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. \n\nAdversaries may also leverage legitimate protocols to impersonate expected web traffic or trusted services. For example, adversaries may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted data to disguise C2 communications or mimic legitimate services such as Gmail, Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation: Malleable-C2-U42)", + "meta": { + "external_id": "T1001.003", + "kill_chain": [ + "attack-Linux:command-and-control", + "attack-Windows:command-and-control", + "attack-macOS:command-and-control" + ], + "mitre_data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "refs": [ + "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", + "https://attack.mitre.org/techniques/T1001/003", + "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", + "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" + ] + }, + "related": [ + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "subtechnique-of" + } + ], + "uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "value": "Protocol or Service Impersonation - T1001.003" + }, { "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\n\nWith administrator privileges, the event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)\n\nAdversaries may also attempt to clear logs by directly deleting the stored log files within `C:\\Windows\\System32\\winevt\\logs\\`.", "meta": { @@ -3658,11 +3716,9 @@ "external_id": "T1098.002", "kill_chain": [ "attack-Windows:persistence", - "attack-Office-365:persistence", - "attack-Google-Workspace:persistence", + "attack-Office-Suite:persistence", "attack-Windows:privilege-escalation", - "attack-Office-365:privilege-escalation", - "attack-Google-Workspace:privilege-escalation" + "attack-Office-Suite:privilege-escalation" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -3671,8 +3727,7 @@ ], "mitre_platforms": [ "Windows", - "Office 365", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1098/002", @@ -3831,6 +3886,36 @@ "uuid": "0042a9f5-f053-4769-b3ef-9ad018dfa298", "value": "Extra Window Memory Injection - T1055.011" }, + { + "description": "Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.\n\nOnce adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)\n\nCRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.", + "meta": { + "external_id": "T1213.004", + "kill_chain": [ + "attack-SaaS:collection" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation" + ], + "mitre_platforms": [ + "SaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1213/004", + "https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/", + "https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/", + "https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/" + ] + }, + "related": [ + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "type": "subtechnique-of" + } + ], + "uuid": "bbfbb096-6561-4d7d-aa2c-a5ee8e44c696", + "value": "Customer Relationship Management Software - T1213.004" + }, { "description": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.\n\nWhile this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.", "meta": { @@ -4074,9 +4159,9 @@ "Windows" ], "refs": [ - "http://msdn.microsoft.com/en-us/library/bb166549.aspx", "https://attack.mitre.org/techniques/T1546/001", "https://docs.microsoft.com/windows-server/administration/windows-commands/assoc", + "https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015", "https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd" ] @@ -4127,7 +4212,7 @@ "value": "Hidden Files and Directories - T1564.001" }, { - "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nPhantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", + "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nPhantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", "meta": { "external_id": "T1574.001", "kill_chain": [ @@ -4153,6 +4238,7 @@ "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html", "https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://www.owasp.org/index.php/Binary_planting" ] }, @@ -4460,7 +4546,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1497/002", - "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc", + "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit", "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667" @@ -4702,7 +4788,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1546/004", - "https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/", "https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html", "https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a", "https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js", @@ -4710,6 +4795,7 @@ "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5", "https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/", "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/", "https://wiki.archlinux.org/index.php/Bash#Invocation", "https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", @@ -4763,13 +4849,9 @@ "external_id": "T1499.004", "kill_chain": [ "attack-Windows:impact", - "attack-Azure-AD:impact", - "attack-Office-365:impact", - "attack-SaaS:impact", "attack-IaaS:impact", "attack-Linux:impact", - "attack-macOS:impact", - "attack-Google-Workspace:impact" + "attack-macOS:impact" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -4779,13 +4861,9 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", - "SaaS", "IaaS", "Linux", - "macOS", - "Google Workspace" + "macOS" ], "refs": [ "https://attack.mitre.org/techniques/T1499/004", @@ -4807,22 +4885,19 @@ "external_id": "T1548.005", "kill_chain": [ "attack-IaaS:privilege-escalation", - "attack-Azure-AD:privilege-escalation", - "attack-Office-365:privilege-escalation", - "attack-Google-Workspace:privilege-escalation", + "attack-Office-Suite:privilege-escalation", + "attack-Identity-Provider:privilege-escalation", "attack-IaaS:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-Office-365:defense-evasion", - "attack-Google-Workspace:defense-evasion" + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion" ], "mitre_data_sources": [ "User Account: User Account Modification" ], "mitre_platforms": [ "IaaS", - "Azure AD", - "Office 365", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1548/005", @@ -4870,7 +4945,6 @@ ], "refs": [ "http://tldp.org/HOWTO/Module-HOWTO/x197.html", - "http://www.megasecurity.org/papers/Rootkits.pdf", "http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html", "https://attack.mitre.org/techniques/T1547/006", "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/", @@ -4885,6 +4959,7 @@ "https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web", "https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html", "https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/", + "https://www.megasecurity.org/papers/Rootkits.pdf", "https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/", "https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf", "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" @@ -4931,7 +5006,7 @@ "value": "Cloud Secrets Management Stores - T1555.006" }, { - "description": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.\n\nFor example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)", + "description": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.\n\nFor example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). ", "meta": { "external_id": "T1578.005", "kill_chain": [ @@ -4946,9 +5021,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1578/005", "https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute", - "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121", - "https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/", - "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" + "https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/" ] }, "related": [ @@ -4985,9 +5058,9 @@ "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN", "https://itm4n.github.io/windows-registry-rpceptmapper-eop/", "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html", - "https://twitter.com/r0wdy_/status/936365549553991680", "https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/", - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost" + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost", + "https://x.com/r0wdy_/status/936365549553991680" ] }, "related": [ @@ -5289,6 +5362,8 @@ ], "mitre_data_sources": [ "Application Log: Application Log Content", + "File: File Modification", + "Network Traffic: Network Traffic Flow", "Process: Process Creation" ], "mitre_platforms": [ @@ -5439,6 +5514,7 @@ "attack-Network:defense-evasion" ], "mitre_data_sources": [ + "Application Log: Application Log Content", "Command: Command Execution", "File: File Creation", "File: File Metadata", @@ -5554,17 +5630,16 @@ "kill_chain": [ "attack-IaaS:collection", "attack-SaaS:collection", - "attack-Google-Workspace:collection", - "attack-Office-365:collection" + "attack-Office-Suite:collection" ], "mitre_data_sources": [ + "Cloud Service: Cloud Service Metadata", "Cloud Storage: Cloud Storage Access" ], "mitre_platforms": [ "IaaS", "SaaS", - "Google Workspace", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1530", @@ -5801,11 +5876,10 @@ "attack-Linux:exfiltration", "attack-macOS:exfiltration", "attack-Windows:exfiltration", - "attack-Office-365:exfiltration", "attack-SaaS:exfiltration", "attack-IaaS:exfiltration", - "attack-Google-Workspace:exfiltration", - "attack-Network:exfiltration" + "attack-Network:exfiltration", + "attack-Office-Suite:exfiltration" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -5820,11 +5894,10 @@ "Linux", "macOS", "Windows", - "Office 365", "SaaS", "IaaS", - "Google Workspace", - "Network" + "Network", + "Office Suite" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", @@ -5876,17 +5949,17 @@ "external_id": "T1550", "kill_chain": [ "attack-Windows:defense-evasion", - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", - "attack-Google-Workspace:defense-evasion", "attack-IaaS:defense-evasion", "attack-Containers:defense-evasion", + "attack-Identity-Provider:defense-evasion", + "attack-Office-Suite:defense-evasion", "attack-Windows:lateral-movement", - "attack-Office-365:lateral-movement", "attack-SaaS:lateral-movement", - "attack-Google-Workspace:lateral-movement", "attack-IaaS:lateral-movement", - "attack-Containers:lateral-movement" + "attack-Containers:lateral-movement", + "attack-Identity-Provider:lateral-movement", + "attack-Office-Suite:lateral-movement" ], "mitre_data_sources": [ "Active Directory: Active Directory Credential Request", @@ -5897,16 +5970,16 @@ ], "mitre_platforms": [ "Windows", - "Office 365", "SaaS", - "Google Workspace", "IaaS", - "Containers" + "Containers", + "Identity Provider", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1550", - "https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication", "https://csrc.nist.gov/glossary/term/authentication", + "https://csrc.nist.gov/glossary/term/multi_factor_authentication", "https://technet.microsoft.com/en-us/library/dn487457.aspx" ] }, @@ -5952,10 +6025,9 @@ "attack-macOS:execution", "attack-Windows:execution", "attack-Network:execution", - "attack-Office-365:execution", - "attack-Azure-AD:execution", "attack-IaaS:execution", - "attack-Google-Workspace:execution" + "attack-Office-Suite:execution", + "attack-Identity-Provider:execution" ], "mitre_data_sources": [ "Command: Command Execution", @@ -5969,10 +6041,9 @@ "macOS", "Windows", "Network", - "Office 365", - "Azure AD", "IaaS", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1059", @@ -6169,7 +6240,7 @@ "attack-Linux:credential-access", "attack-Windows:credential-access", "attack-macOS:credential-access", - "attack-Azure-AD:credential-access" + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -6180,16 +6251,16 @@ "Linux", "Windows", "macOS", - "Azure AD" + "Identity Provider" ], "refs": [ "https://adsecurity.org/?p=1515", "https://attack.mitre.org/techniques/T1212", "https://technet.microsoft.com/en-us/library/security/ms14-068.aspx", - "https://twitter.com/MsftSecIntel/status/1671579359994343425", "https://www.bugcrowd.com/glossary/replay-attack/", "https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/", - "https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/" + "https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/", + "https://x.com/MsftSecIntel/status/1671579359994343425" ] }, "uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", @@ -6224,7 +6295,7 @@ "value": "Component Object Model Hijacking - T1122" }, { - "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.", + "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)). \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)) \n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n* Contact or other sensitive information about business partners and customers, including personally identifiable information (PII) \n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:\n\n* Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases \n* Collaboration platforms such as SharePoint, Confluence, and code repositories\n* Messaging platforms such as Slack and Microsoft Teams \n\nIn some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)", "meta": { "external_id": "T1213", "kill_chain": [ @@ -6232,9 +6303,8 @@ "attack-Windows:collection", "attack-macOS:collection", "attack-SaaS:collection", - "attack-Office-365:collection", - "attack-Google-Workspace:collection", - "attack-IaaS:collection" + "attack-IaaS:collection", + "attack-Office-Suite:collection" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -6245,15 +6315,17 @@ "Windows", "macOS", "SaaS", - "Office 365", - "Google Workspace", - "IaaS" + "IaaS", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1213", "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html", + "https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/", "https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events", - "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2" + "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2", + "https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots", + "https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html" ] }, "uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", @@ -6916,10 +6988,10 @@ "external_id": "T1528", "kill_chain": [ "attack-SaaS:credential-access", - "attack-Office-365:credential-access", - "attack-Azure-AD:credential-access", - "attack-Google-Workspace:credential-access", - "attack-Containers:credential-access" + "attack-Containers:credential-access", + "attack-IaaS:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Modification", @@ -6927,10 +6999,10 @@ ], "mitre_platforms": [ "SaaS", - "Office 365", - "Azure AD", - "Google Workspace", - "Containers" + "Containers", + "IaaS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1528", @@ -6950,7 +7022,7 @@ "value": "Steal Application Access Token - T1528" }, { - "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).\n\nAdversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)", "meta": { "external_id": "T1592", "kill_chain": [ @@ -6965,7 +7037,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1592", "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", - "https://threatconnect.com/blog/infrastructure-research-hunting/" + "https://threatconnect.com/blog/infrastructure-research-hunting/", + "https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/" ] }, "uuid": "09312b1a-c3c6-4b45-9844-3ccc78e5d82f", @@ -7167,9 +7240,8 @@ "attack-Linux:credential-access", "attack-macOS:credential-access", "attack-Windows:credential-access", - "attack-Office-365:credential-access", "attack-SaaS:credential-access", - "attack-Google-Workspace:credential-access" + "attack-Office-Suite:credential-access" ], "mitre_data_sources": [ "File: File Access", @@ -7179,9 +7251,8 @@ "Linux", "macOS", "Windows", - "Office 365", "SaaS", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1539", @@ -7325,7 +7396,7 @@ "value": "Network Denial of Service - T1464" }, { - "description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)", + "description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\n\nAfter modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)", "meta": { "external_id": "T1554", "kill_chain": [ @@ -7346,6 +7417,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1554", + "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations", "https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n", "https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf" ] @@ -7382,17 +7454,15 @@ "attack-Linux:privilege-escalation", "attack-macOS:privilege-escalation", "attack-Windows:privilege-escalation", - "attack-Office-365:privilege-escalation", "attack-IaaS:privilege-escalation", - "attack-Google-Workspace:privilege-escalation", - "attack-Azure-AD:privilege-escalation", + "attack-Office-Suite:privilege-escalation", + "attack-Identity-Provider:privilege-escalation", "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", "attack-Windows:defense-evasion", - "attack-Office-365:defense-evasion", "attack-IaaS:defense-evasion", - "attack-Google-Workspace:defense-evasion", - "attack-Azure-AD:defense-evasion" + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion" ], "mitre_data_sources": [ "Command: Command Execution", @@ -7408,10 +7478,9 @@ "Linux", "macOS", "Windows", - "Office 365", "IaaS", - "Google Workspace", - "Azure AD" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1548", @@ -7596,13 +7665,9 @@ "external_id": "T1498", "kill_chain": [ "attack-Windows:impact", - "attack-Azure-AD:impact", - "attack-Office-365:impact", - "attack-SaaS:impact", "attack-IaaS:impact", "attack-Linux:impact", "attack-macOS:impact", - "attack-Google-Workspace:impact", "attack-Containers:impact" ], "mitre_data_sources": [ @@ -7611,20 +7676,16 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", - "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace", "Containers" ], "refs": [ "https://attack.mitre.org/techniques/T1498", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html", - "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf", + "https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf" ] }, @@ -7637,14 +7698,10 @@ "external_id": "T1499", "kill_chain": [ "attack-Windows:impact", - "attack-Azure-AD:impact", - "attack-Office-365:impact", - "attack-SaaS:impact", - "attack-IaaS:impact", "attack-Linux:impact", "attack-macOS:impact", - "attack-Google-Workspace:impact", - "attack-Containers:impact" + "attack-Containers:impact", + "attack-IaaS:impact" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -7654,21 +7711,17 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", - "SaaS", - "IaaS", "Linux", "macOS", - "Google Workspace", - "Containers" + "Containers", + "IaaS" ], "refs": [ "https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/", "https://attack.mitre.org/techniques/T1499", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html", - "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf", + "https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf", "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf" ] @@ -7716,9 +7769,8 @@ "attack-Linux:exfiltration", "attack-macOS:exfiltration", "attack-Windows:exfiltration", - "attack-Office-365:exfiltration", "attack-SaaS:exfiltration", - "attack-Google-Workspace:exfiltration" + "attack-Office-Suite:exfiltration" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -7732,9 +7784,8 @@ "Linux", "macOS", "Windows", - "Office 365", "SaaS", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1567" @@ -7815,7 +7866,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1578", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020" + "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" ] }, "uuid": "144e007b-e638-431d-a894-45d90c54ab90", @@ -7840,10 +7891,10 @@ "https://github.com/michenriksen/gitrob", "https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/", "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/", + "https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/", "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196", "https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/", - "https://www.opm.gov/cybersecurity/cybersecurity-incidents/", "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/", "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/" ] @@ -7851,6 +7902,31 @@ "uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "value": "Gather Victim Identity Information - T1589" }, + { + "description": "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. \n\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)", + "meta": { + "external_id": "T1666", + "kill_chain": [ + "attack-IaaS:defense-evasion" + ], + "mitre_data_sources": [ + "Cloud Service: Cloud Service Modification" + ], + "mitre_platforms": [ + "IaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1666", + "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html", + "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources", + "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf", + "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121", + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" + ] + }, + "uuid": "0ce73446-8722-4086-9d43-514f1d0f669e", + "value": "Modify Cloud Resource Hierarchy - T1666" + }, { "description": "Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)\n\nAdversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)\n\nThese scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)", "meta": { @@ -7993,7 +8069,7 @@ "value": "Dynamic-link Library Injection - T1055.001" }, { - "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", + "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", "meta": { "external_id": "T1190", "kill_chain": [ @@ -8182,7 +8258,7 @@ "value": "Exploit public-facing application - T1377" }, { - "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition to manually browsing the website, adversaries may attempt to identify hidden directories or files that could contain additional sensitive information or vulnerable functionality. They may do this through automated activities such as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as well as by leveraging files such as sitemap.xml and robots.txt.(Citation: Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) ", "meta": { "external_id": "T1594", "kill_chain": [ @@ -8196,7 +8272,9 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1594", - "https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/" + "https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a", + "https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/", + "https://www.theregister.com/2015/05/19/robotstxt/" ] }, "uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26", @@ -8463,8 +8541,7 @@ "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", "attack-Windows:defense-evasion", - "attack-Office-365:defense-evasion", - "attack-Google-Workspace:defense-evasion" + "attack-Office-Suite:defense-evasion" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -8477,8 +8554,7 @@ "Linux", "macOS", "Windows", - "Office 365", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1070/008", @@ -8739,8 +8815,8 @@ "Windows" ], "refs": [ - "http://msdn.microsoft.com/en-us/library/aa384426", "https://attack.mitre.org/techniques/T1021/006", + "https://learn.microsoft.com/en-us/windows/win32/winrm/portal", "https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc", "https://msdn.microsoft.com/en-us/library/aa394582.aspx", "https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2" @@ -8791,6 +8867,50 @@ "uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "value": "File Transfer Protocols - T1071.002" }, + { + "description": "Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087). \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656), which describes impersonating specific trusted individuals or organizations, rather than user or service account names. ", + "meta": { + "external_id": "T1036.010", + "kill_chain": [ + "attack-Linux:defense-evasion", + "attack-macOS:defense-evasion", + "attack-Windows:defense-evasion", + "attack-SaaS:defense-evasion", + "attack-IaaS:defense-evasion", + "attack-Containers:defense-evasion", + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion" + ], + "mitre_data_sources": [ + "User Account: User Account Creation" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "SaaS", + "IaaS", + "Containers", + "Office Suite", + "Identity Provider" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1036/010", + "https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", + "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response", + "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "subtechnique-of" + } + ], + "uuid": "d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0", + "value": "Masquerade Account Name - T1036.010" + }, { "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", "meta": { @@ -8866,7 +8986,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1074/001", - "https://www.prevailion.com/darkwatchman-new-fileless-techniques/" + "https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" ] }, "related": [ @@ -8883,29 +9003,26 @@ "meta": { "external_id": "T1550.001", "kill_chain": [ - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", - "attack-Google-Workspace:defense-evasion", "attack-Containers:defense-evasion", "attack-IaaS:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-Office-365:lateral-movement", + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-SaaS:lateral-movement", - "attack-Google-Workspace:lateral-movement", "attack-Containers:lateral-movement", "attack-IaaS:lateral-movement", - "attack-Azure-AD:lateral-movement" + "attack-Office-Suite:lateral-movement", + "attack-Identity-Provider:lateral-movement" ], "mitre_data_sources": [ "Web Credential: Web Credential Usage" ], "mitre_platforms": [ - "Office 365", "SaaS", - "Google Workspace", "Containers", "IaaS", - "Azure AD" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1550/001", @@ -8947,11 +9064,11 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1505/001", - "https://blog.netspi.com/attacking-sql-server-clr-assemblies/", - "https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017", "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017", - "https://securelist.com/malicious-tasks-in-ms-sql-server/92167/" + "https://securelist.com/malicious-tasks-in-ms-sql-server/92167/", + "https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/", + "https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/" ] }, "related": [ @@ -9001,37 +9118,43 @@ "value": "Archive via Utility - T1560.001" }, { - "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \n\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)", + "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. Alternatively, they may use the CreateLoginProfile API in AWS to add a password that can be used to log into the AWS Management Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation: Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024) If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Entra ID environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \n\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)\n\nIn Entra ID environments with the app password feature enabled, adversaries may be able to add an app password to a user account.(Citation: Mandiant APT42 Operations 2024) As app passwords are intended to be used with legacy devices that do not support multi-factor authentication (MFA), adding an app password can allow an adversary to bypass MFA requirements. Additionally, app passwords may remain valid even if the user’s primary password is reset.(Citation: Microsoft Entra ID App Passwords)", "meta": { "external_id": "T1098.001", "kill_chain": [ "attack-IaaS:persistence", - "attack-Azure-AD:persistence", "attack-SaaS:persistence", + "attack-Identity-Provider:persistence", "attack-IaaS:privilege-escalation", - "attack-Azure-AD:privilege-escalation", - "attack-SaaS:privilege-escalation" + "attack-SaaS:privilege-escalation", + "attack-Identity-Provider:privilege-escalation" ], "mitre_data_sources": [ + "Active Directory: Active Directory Object Creation", + "Active Directory: Active Directory Object Modification", "User Account: User Account Modification" ], "mitre_platforms": [ "IaaS", - "Azure AD", - "SaaS" + "SaaS", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1098/001", + "https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations", "https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add", "https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/", "https://expel.io/blog/finding-evil-in-aws/", + "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1", "https://sysdig.com/blog/scarleteel-2-0/", "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/", + "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts", "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" ] }, @@ -9078,7 +9201,7 @@ "value": "Impersonate SS7 Nodes - T1430.002" }, { - "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)", + "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)", "meta": { "external_id": "T1027.004", "kill_chain": [ @@ -9100,6 +9223,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1027/004", "https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/", + "https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" ] }, @@ -9135,7 +9259,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1074/002", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020" + "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" ] }, "related": [ @@ -9337,9 +9461,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1036/003", "https://lolbas-project.github.io/", - "https://twitter.com/ItsReallyNick/status/1055321652777619457", "https://www.elastic.co/blog/how-hunt-masquerade-ball", - "https://www.f-secure.com/documents/996508/1030745/CozyDuke" + "https://www.f-secure.com/documents/996508/1030745/CozyDuke", + "https://x.com/ItsReallyNick/status/1055321652777619457" ] }, "related": [ @@ -9430,12 +9554,12 @@ "Windows" ], "refs": [ - "http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos", "http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf", "https://adsecurity.org/?p=556", "https://attack.mitre.org/techniques/T1550/003", "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf", - "https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/" + "https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", + "https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos" ] }, "related": [ @@ -9722,26 +9846,23 @@ "meta": { "external_id": "T1098.003", "kill_chain": [ - "attack-Office-365:persistence", "attack-IaaS:persistence", "attack-SaaS:persistence", - "attack-Google-Workspace:persistence", - "attack-Azure-AD:persistence", - "attack-Office-365:privilege-escalation", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence", "attack-IaaS:privilege-escalation", "attack-SaaS:privilege-escalation", - "attack-Google-Workspace:privilege-escalation", - "attack-Azure-AD:privilege-escalation" + "attack-Office-Suite:privilege-escalation", + "attack-Identity-Provider:privilege-escalation" ], "mitre_data_sources": [ "User Account: User Account Modification" ], "mitre_platforms": [ - "Office 365", "IaaS", "SaaS", - "Google Workspace", - "Azure AD" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1098/003", @@ -9802,24 +9923,21 @@ "meta": { "external_id": "T1550.004", "kill_chain": [ - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", - "attack-Google-Workspace:defense-evasion", "attack-IaaS:defense-evasion", - "attack-Office-365:lateral-movement", + "attack-Office-Suite:defense-evasion", "attack-SaaS:lateral-movement", - "attack-Google-Workspace:lateral-movement", - "attack-IaaS:lateral-movement" + "attack-IaaS:lateral-movement", + "attack-Office-Suite:lateral-movement" ], "mitre_data_sources": [ "Application Log: Application Log Content", "Web Credential: Web Credential Usage" ], "mitre_platforms": [ - "Office 365", "SaaS", - "Google Workspace", - "IaaS" + "IaaS", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1550/004", @@ -9946,7 +10064,7 @@ "https://docs.microsoft.com/windows/win32/termserv/about-terminal-services", "https://github.com/stascorp/rdpwrap", "https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx", - "https://twitter.com/james_inthe_box/status/1150495335812177920" + "https://x.com/james_inthe_box/status/1150495335812177920" ] }, "related": [ @@ -10110,9 +10228,8 @@ "meta": { "external_id": "T1114.002", "kill_chain": [ - "attack-Office-365:collection", "attack-Windows:collection", - "attack-Google-Workspace:collection" + "attack-Office-Suite:collection" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -10121,9 +10238,8 @@ "Network Traffic: Network Connection Creation" ], "mitre_platforms": [ - "Office 365", "Windows", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1114/002" @@ -10176,22 +10292,21 @@ "meta": { "external_id": "T1114.003", "kill_chain": [ - "attack-Office-365:collection", "attack-Windows:collection", - "attack-Google-Workspace:collection", "attack-macOS:collection", - "attack-Linux:collection" + "attack-Linux:collection", + "attack-Office-Suite:collection" ], "mitre_data_sources": [ "Application Log: Application Log Content", + "Cloud Service: Cloud Service Metadata", "Command: Command Execution" ], "mitre_platforms": [ - "Office 365", "Windows", - "Google Workspace", "macOS", - "Linux" + "Linux", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1114/003", @@ -10247,7 +10362,7 @@ "external_id": "T1137.001", "kill_chain": [ "attack-Windows:persistence", - "attack-Office-365:persistence" + "attack-Office-Suite:persistence" ], "mitre_data_sources": [ "Command: Command Execution", @@ -10259,7 +10374,7 @@ ], "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/", @@ -10565,9 +10680,9 @@ "iOS" ], "refs": [ - "http://cloak-and-dagger.org/", "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf", "https://attack.mitre.org/techniques/T1417/002", + "https://cloak-and-dagger.org/", "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf", "https://developer.android.com/guide/components/activities/background-starts", "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", @@ -10710,7 +10825,7 @@ "https://attack.mitre.org/techniques/T1628/001", "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist", "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons", - "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker", + "https://www.cyber.nj.gov/threat-landscape/malware/trojans/bankbot-spy-banker", "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/", "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" ] @@ -10790,7 +10905,7 @@ "external_id": "T1137.004", "kill_chain": [ "attack-Windows:persistence", - "attack-Office-365:persistence" + "attack-Office-Suite:persistence" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -10799,7 +10914,7 @@ ], "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1137/004", @@ -10886,10 +11001,10 @@ "Windows" ], "refs": [ - "http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", - "http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/", "https://adsecurity.org/?p=2716", "https://attack.mitre.org/techniques/T1484/001", + "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/", "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/", "https://wald0.com/?p=179", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf", @@ -10978,13 +11093,9 @@ "external_id": "T1498.001", "kill_chain": [ "attack-Windows:impact", - "attack-Azure-AD:impact", - "attack-Office-365:impact", - "attack-SaaS:impact", "attack-IaaS:impact", "attack-Linux:impact", - "attack-macOS:impact", - "attack-Google-Workspace:impact" + "attack-macOS:impact" ], "mitre_data_sources": [ "Network Traffic: Network Traffic Flow", @@ -10992,13 +11103,9 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", - "SaaS", "IaaS", "Linux", - "macOS", - "Google Workspace" + "macOS" ], "refs": [ "https://attack.mitre.org/techniques/T1498/001", @@ -11105,8 +11212,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1565/001", - "https://content.fireeye.com/apt/rpt-apt38", - "https://www.justice.gov/opa/press-release/file/1092091/download" + "https://www.justice.gov/opa/press-release/file/1092091/download", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" ] }, "related": [ @@ -11155,6 +11262,7 @@ "attack-PRE:reconnaissance" ], "mitre_data_sources": [ + "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow" ], "mitre_platforms": [ @@ -11353,13 +11461,9 @@ "external_id": "T1499.002", "kill_chain": [ "attack-Windows:impact", - "attack-Azure-AD:impact", - "attack-Office-365:impact", - "attack-SaaS:impact", "attack-IaaS:impact", "attack-Linux:impact", - "attack-macOS:impact", - "attack-Google-Workspace:impact" + "attack-macOS:impact" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -11369,13 +11473,9 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", - "SaaS", "IaaS", "Linux", - "macOS", - "Google Workspace" + "macOS" ], "refs": [ "https://attack.mitre.org/techniques/T1499/002", @@ -11447,8 +11547,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1565/002", - "https://content.fireeye.com/apt/rpt-apt38", - "https://www.justice.gov/opa/press-release/file/1092091/download" + "https://www.justice.gov/opa/press-release/file/1092091/download", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" ] }, "related": [ @@ -11590,8 +11690,8 @@ "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", "https://arxiv.org/pdf/1611.00791.pdf", "https://attack.mitre.org/techniques/T1568/002", - "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e", "https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/", "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", @@ -11661,8 +11761,8 @@ "https://attack.mitre.org/techniques/T1578/002", "https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/", "https://cloud.google.com/logging/docs/audit#admin-activity", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs" + "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs", + "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" ] }, "related": [ @@ -11851,7 +11951,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1497/003", - "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc", + "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit", "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/", "https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes", "https://www.joesecurity.org/blog/3660886847485093803", @@ -11874,13 +11974,9 @@ "external_id": "T1499.003", "kill_chain": [ "attack-Windows:impact", - "attack-Azure-AD:impact", - "attack-Office-365:impact", - "attack-SaaS:impact", "attack-IaaS:impact", "attack-Linux:impact", - "attack-macOS:impact", - "attack-Google-Workspace:impact" + "attack-macOS:impact" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -11890,13 +11986,9 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", - "SaaS", "IaaS", "Linux", - "macOS", - "Google Workspace" + "macOS" ], "refs": [ "https://attack.mitre.org/techniques/T1499/003", @@ -11974,8 +12066,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1565/003", - "https://content.fireeye.com/apt/rpt-apt38", - "https://www.justice.gov/opa/press-release/file/1092091/download" + "https://www.justice.gov/opa/press-release/file/1092091/download", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" ] }, "related": [ @@ -12038,8 +12130,8 @@ "https://attack.mitre.org/techniques/T1578/003", "https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/", "https://cloud.google.com/logging/docs/audit#admin-activity", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs" + "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs", + "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" ] }, "related": [ @@ -12097,11 +12189,11 @@ ], "refs": [ "http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html", - "http://msdn.microsoft.com/en-us/library/aa364404", "https://attack.mitre.org/techniques/T1564/004", "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/", "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/", "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", + "https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams", "https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea", @@ -12149,6 +12241,38 @@ "uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "value": "Winlogon Helper DLL - T1547.004" }, + { + "description": "Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability. \n\nFor example, adversaries may leverage email and messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio, in order to send large quantities of spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse 2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking 2024)\n\nIn some cases, adversaries may leverage services that the victim is already using. In others, particularly when the service is part of a larger cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking 2024) Leveraging SaaS applications may cause the victim to incur significant financial costs, use up service quotas, and otherwise impact availability. ", + "meta": { + "external_id": "T1496.004", + "kill_chain": [ + "attack-SaaS:impact" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content", + "Cloud Service: Cloud Service Modification" + ], + "mitre_platforms": [ + "SaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1496/004", + "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/", + "https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/", + "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me", + "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts", + "https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/" + ] + }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "type": "subtechnique-of" + } + ], + "uuid": "924d273c-be0d-4d8d-af58-2dddb15ef1e2", + "value": "Cloud Service Hijacking - T1496.004" + }, { "description": "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)\n\nThe Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.\n\nCredential Lockers store credentials in encrypted `.vcrd` files, located under `%Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\`. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)\n\nAdversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as CredEnumerateA, may also be absued to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nAdversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running rundll32.exe keymgr.dll KRShowKeyMgr then selecting the “Back up...” button on the “Stored User Names and Passwords” GUI.\n\nPassword recovery tools may also obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)", "meta": { @@ -12409,8 +12533,7 @@ "attack-macOS:exfiltration", "attack-Linux:exfiltration", "attack-SaaS:exfiltration", - "attack-Office-365:exfiltration", - "attack-Google-Workspace:exfiltration" + "attack-Office-Suite:exfiltration" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -12424,8 +12547,7 @@ "macOS", "Linux", "SaaS", - "Office 365", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1567/004", @@ -12453,10 +12575,9 @@ "external_id": "T1564.008", "kill_chain": [ "attack-Windows:defense-evasion", - "attack-Office-365:defense-evasion", "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", - "attack-Google-Workspace:defense-evasion" + "attack-Office-Suite:defense-evasion" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -12465,10 +12586,9 @@ ], "mitre_platforms": [ "Windows", - "Office 365", "Linux", "macOS", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1564/008", @@ -12558,28 +12678,24 @@ "value": "Network Provider DLL - T1556.008" }, { - "description": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required. \n\nBy modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.", + "description": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required. \n\nBy modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.", "meta": { "external_id": "T1556.009", "kill_chain": [ - "attack-Azure-AD:credential-access", - "attack-SaaS:credential-access", "attack-IaaS:credential-access", - "attack-Azure-AD:defense-evasion", - "attack-SaaS:defense-evasion", + "attack-Identity-Provider:credential-access", "attack-IaaS:defense-evasion", - "attack-Azure-AD:persistence", - "attack-SaaS:persistence", - "attack-IaaS:persistence" + "attack-Identity-Provider:defense-evasion", + "attack-IaaS:persistence", + "attack-Identity-Provider:persistence" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Modification", "Cloud Service: Cloud Service Modification" ], "mitre_platforms": [ - "Azure AD", - "SaaS", - "IaaS" + "IaaS", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1556/009", @@ -12898,8 +13014,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1593", "https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e", - "https://securitytrails.com/blog/google-hacking-techniques", - "https://www.exploit-db.com/google-hacking-database" + "https://www.exploit-db.com/google-hacking-database", + "https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks" ] }, "uuid": "a0e6614a-7740-4b24-bd65-f1bde09fc365", @@ -12943,7 +13059,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1010", - "https://www.prevailion.com/darkwatchman-new-fileless-techniques/", + "https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/", "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" ] }, @@ -13142,10 +13258,10 @@ "external_id": "T1080", "kill_chain": [ "attack-Windows:lateral-movement", - "attack-Office-365:lateral-movement", "attack-SaaS:lateral-movement", "attack-Linux:lateral-movement", - "attack-macOS:lateral-movement" + "attack-macOS:lateral-movement", + "attack-Office-Suite:lateral-movement" ], "mitre_data_sources": [ "File: File Creation", @@ -13155,10 +13271,10 @@ ], "mitre_platforms": [ "Windows", - "Office 365", "SaaS", "Linux", - "macOS" + "macOS", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1080", @@ -13231,7 +13347,10 @@ "attack-Linux:discovery", "attack-macOS:discovery", "attack-IaaS:discovery", - "attack-Network:discovery" + "attack-Network:discovery", + "attack-Identity-Provider:discovery", + "attack-SaaS:discovery", + "attack-Office-Suite:discovery" ], "mitre_data_sources": [ "Command: Command Execution", @@ -13243,7 +13362,10 @@ "Linux", "macOS", "IaaS", - "Network" + "Network", + "Identity Provider", + "SaaS", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1201", @@ -13469,7 +13591,7 @@ "value": "Application Deployment Software - T1017" }, { - "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) ", + "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) ", "meta": { "external_id": "T1071", "kill_chain": [ @@ -13564,7 +13686,7 @@ "value": "Remote System Discovery - T1018" }, { - "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", + "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", "meta": { "external_id": "T1202", "kill_chain": [ @@ -13580,8 +13702,11 @@ "refs": [ "https://attack.mitre.org/techniques/T1202", "https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe", - "https://twitter.com/Evi1cg/status/935027922397573120", - "https://twitter.com/vector_sec/status/896049052642533376" + "https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/", + "https://ss64.com/nt/scriptrunner.html", + "https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/", + "https://x.com/Evi1cg/status/935027922397573120", + "https://x.com/vector_sec/status/896049052642533376" ] }, "uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", @@ -13608,8 +13733,8 @@ "https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75", "https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/", "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", - "https://twitter.com/dez_/status/986614411711442944", - "https://www.microsoft.com/download/details.aspx?id=21714" + "https://www.microsoft.com/download/details.aspx?id=21714", + "https://x.com/dez_/status/986614411711442944" ] }, "uuid": "ebbe170d-aa74-4946-8511-9921243415a3", @@ -13816,7 +13941,7 @@ "value": "Rogue Domain Controller - T1207" }, { - "description": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. \n\nAccess to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.", + "description": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. \n\nAccess to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.", "meta": { "external_id": "T1072", "kill_chain": [ @@ -14136,7 +14261,7 @@ "value": "Stored Application Data - T1409" }, { - "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware)\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)", + "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware)\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)", "meta": { "external_id": "T1490", "kill_chain": [ @@ -14169,11 +14294,11 @@ "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/", - "https://twitter.com/TheDFIRReport/status/1498657590259109894", "https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware" + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://x.com/TheDFIRReport/status/1498657590259109894" ] }, "uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", @@ -14430,14 +14555,14 @@ "https://attack.mitre.org/techniques/T1580", "https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/", "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html", "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html", "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest", - "https://expel.io/blog/finding-evil-in-aws/" + "https://expel.io/blog/finding-evil-in-aws/", + "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" ] }, "uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", @@ -14452,10 +14577,9 @@ "attack-Windows:credential-access", "attack-macOS:credential-access", "attack-Linux:credential-access", - "attack-Azure-AD:credential-access", - "attack-Office-365:credential-access", - "attack-Google-Workspace:credential-access", - "attack-IaaS:credential-access" + "attack-IaaS:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Logon Session: Logon Session Creation", @@ -14467,15 +14591,14 @@ "Windows", "macOS", "Linux", - "Azure AD", - "Office 365", - "Google Workspace", - "IaaS" + "IaaS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1606", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html", - "https://github.com/damianh/aws-adfs-credential-generator", + "https://github.com/pvanbuijtene/aws-adfs-credential-generator", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://wiki.zimbra.com/wiki/Preauth", @@ -14581,14 +14704,13 @@ "external_id": "T1069", "kill_chain": [ "attack-Windows:discovery", - "attack-Azure-AD:discovery", - "attack-Office-365:discovery", "attack-SaaS:discovery", "attack-IaaS:discovery", "attack-Linux:discovery", "attack-macOS:discovery", - "attack-Google-Workspace:discovery", - "attack-Containers:discovery" + "attack-Containers:discovery", + "attack-Office-Suite:discovery", + "attack-Identity-Provider:discovery" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -14599,14 +14721,13 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace", - "Containers" + "Containers", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1069", @@ -15073,8 +15194,9 @@ "attack-Linux:impact", "attack-macOS:impact", "attack-Windows:impact", - "attack-Office-365:impact", - "attack-SaaS:impact" + "attack-SaaS:impact", + "attack-IaaS:impact", + "attack-Office-Suite:impact" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Modification", @@ -15085,8 +15207,9 @@ "Linux", "macOS", "Windows", - "Office 365", - "SaaS" + "SaaS", + "IaaS", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1531", @@ -15131,7 +15254,7 @@ "external_id": "T1137", "kill_chain": [ "attack-Windows:persistence", - "attack-Office-365:persistence" + "attack-Office-Suite:persistence" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -15145,7 +15268,7 @@ ], "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1137", @@ -15305,11 +15428,11 @@ "IaaS" ], "refs": [ - "https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf", "https://attack.mitre.org/techniques/T1614", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html", "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows", "https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/", + "https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf", "https://securelist.com/transparent-tribe-part-1/98127/", "https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/" ] @@ -15523,7 +15646,7 @@ "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-E", "https://www.commandfive.com/papers/C5_APT_SKHack.pdf", - "https://www.se.com/ww/en/download/document/SESN-2018-236-01/", + "https://www.se.com/us/en/download/document/SESN-2018-236-01/", "https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets" ] }, @@ -16201,25 +16324,24 @@ "value": "Implant Internal Image - T1525" }, { - "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).", + "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).", "meta": { "external_id": "T1526", "kill_chain": [ - "attack-Azure-AD:discovery", - "attack-Office-365:discovery", "attack-SaaS:discovery", "attack-IaaS:discovery", - "attack-Google-Workspace:discovery" + "attack-Office-Suite:discovery", + "attack-Identity-Provider:discovery" ], "mitre_data_sources": [ - "Cloud Service: Cloud Service Enumeration" + "Cloud Service: Cloud Service Enumeration", + "Logon Session: Logon Session Creation" ], "mitre_platforms": [ - "Azure AD", - "Office 365", "SaaS", "IaaS", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1526", @@ -16792,22 +16914,20 @@ "meta": { "external_id": "T1538", "kill_chain": [ - "attack-Azure-AD:discovery", - "attack-Office-365:discovery", "attack-IaaS:discovery", - "attack-Google-Workspace:discovery", - "attack-SaaS:discovery" + "attack-SaaS:discovery", + "attack-Office-Suite:discovery", + "attack-Identity-Provider:discovery" ], "mitre_data_sources": [ "Logon Session: Logon Session Creation", "User Account: User Account Authentication" ], "mitre_platforms": [ - "Azure AD", - "Office 365", "IaaS", - "Google Workspace", - "SaaS" + "SaaS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1538", @@ -17077,13 +17197,13 @@ "attack-Windows:privilege-escalation", "attack-SaaS:privilege-escalation", "attack-IaaS:privilege-escalation", - "attack-Office-365:privilege-escalation", + "attack-Office-Suite:privilege-escalation", "attack-Linux:persistence", "attack-macOS:persistence", "attack-Windows:persistence", "attack-SaaS:persistence", "attack-IaaS:persistence", - "attack-Office-365:persistence" + "attack-Office-Suite:persistence" ], "mitre_data_sources": [ "Cloud Service: Cloud Service Modification", @@ -17102,7 +17222,7 @@ "Windows", "SaaS", "IaaS", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1546", @@ -17270,29 +17390,26 @@ "attack-Linux:credential-access", "attack-macOS:credential-access", "attack-Network:credential-access", - "attack-Azure-AD:credential-access", - "attack-Google-Workspace:credential-access", "attack-IaaS:credential-access", - "attack-Office-365:credential-access", "attack-SaaS:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access", "attack-Windows:defense-evasion", "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", "attack-Network:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-Google-Workspace:defense-evasion", "attack-IaaS:defense-evasion", - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-Windows:persistence", "attack-Linux:persistence", "attack-macOS:persistence", "attack-Network:persistence", - "attack-Azure-AD:persistence", - "attack-Google-Workspace:persistence", "attack-IaaS:persistence", - "attack-Office-365:persistence", - "attack-SaaS:persistence" + "attack-SaaS:persistence", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Modification", @@ -17314,11 +17431,10 @@ "Linux", "macOS", "Network", - "Azure AD", - "Google Workspace", "IaaS", - "Office 365", - "SaaS" + "SaaS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://adsecurity.org/?p=2053", @@ -17377,7 +17493,7 @@ "value": "Compromise Application Executable - T1577" }, { - "description": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "description": "Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", "meta": { "external_id": "T1597", "kill_chain": [ @@ -17388,7 +17504,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1597", - "https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/", "https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/" ] }, @@ -17418,8 +17533,8 @@ "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/", "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/", "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/", + "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing", - "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", "https://www.proofpoint.com/us/threat-reference/email-spoofing", @@ -17546,7 +17661,7 @@ "value": "Right-to-Left Override - T1036.002" }, { - "description": "Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\n\nFor example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)\n\nIn the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.\n\nSimilarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)", + "description": "Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\n\nFor example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport. \n\nSimilarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)", "meta": { "external_id": "T1090.003", "kill_chain": [ @@ -17568,6 +17683,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1090/003", + "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks", "https://en.wikipedia.org/wiki/Onion_routing", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" ] @@ -17773,6 +17889,37 @@ "uuid": "d916f176-a1ca-4a78-9fdd-4058bc28162e", "value": "One-Way Communication - T1481.003" }, + { + "description": "Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. \n\nCloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once. \n\nFor example, in AWS environments, an adversary with the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle` API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657), adversaries may also perform this action on buckets storing cloud logs for [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation: Datadog S3 Lifecycle CloudTrail Logs)", + "meta": { + "external_id": "T1485.001", + "kill_chain": [ + "attack-IaaS:impact" + ], + "mitre_data_sources": [ + "Cloud Storage: Cloud Storage Modification" + ], + "mitre_platforms": [ + "IaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1485/001", + "https://cloud.google.com/storage/docs/lifecycle", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html", + "https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal", + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/", + "https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/" + ] + }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "type": "subtechnique-of" + } + ], + "uuid": "1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4", + "value": "Lifecycle-Triggered Deletion - T1485.001" + }, { "description": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Discovery](https://attack.mitre.org/tactics/TA0032) or [Credential Access](https://attack.mitre.org/tactics/TA0031) activity to support both ongoing and future campaigns. ", "meta": { @@ -17844,9 +17991,9 @@ "Windows" ], "refs": [ - "http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", "https://adsecurity.org/?p=2293", "https://attack.mitre.org/techniques/T1558/004", + "https://blog.harmj0y.net/activedirectory/roasting-as-reps/", "https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/", "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768", @@ -17900,29 +18047,26 @@ "external_id": "T1556.006", "kill_chain": [ "attack-Windows:credential-access", - "attack-Azure-AD:credential-access", - "attack-Office-365:credential-access", "attack-SaaS:credential-access", "attack-IaaS:credential-access", - "attack-Google-Workspace:credential-access", "attack-Linux:credential-access", "attack-macOS:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access", "attack-Windows:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", "attack-IaaS:defense-evasion", - "attack-Google-Workspace:defense-evasion", "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-Windows:persistence", - "attack-Azure-AD:persistence", - "attack-Office-365:persistence", "attack-SaaS:persistence", "attack-IaaS:persistence", - "attack-Google-Workspace:persistence", "attack-Linux:persistence", - "attack-macOS:persistence" + "attack-macOS:persistence", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Modification", @@ -17933,13 +18077,12 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", - "Google Workspace", "Linux", - "macOS" + "macOS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1556/006", @@ -18114,9 +18257,9 @@ "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "https://attack.mitre.org/techniques/T1571", - "https://twitter.com/TheDFIRReport/status/1498657772254240768", "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://x.com/TheDFIRReport/status/1498657772254240768" ] }, "uuid": "b18eae87-b469-4e14-b454-b171b416bc18", @@ -18188,7 +18331,7 @@ "attack-Windows:initial-access", "attack-Linux:initial-access", "attack-macOS:initial-access", - "attack-SaaS:initial-access" + "attack-Identity-Provider:initial-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -18201,7 +18344,7 @@ "Windows", "Linux", "macOS", - "SaaS" + "Identity Provider" ], "refs": [ "http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/", @@ -18299,6 +18442,41 @@ "uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "value": "Inter-Process Communication - T1559" }, + { + "description": "Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as MQTT, XMPP, AMQP, and STOMP use a publish/subscribe design, with message distribution managed by a centralized broker.(Citation: wailing crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their messages by topics, while subscribers receive messages according to their subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse publish/subscribe protocols to communicate with systems under their control from behind a message broker while also mimicking normal, expected traffic.", + "meta": { + "external_id": "T1071.005", + "kill_chain": [ + "attack-macOS:command-and-control", + "attack-Linux:command-and-control", + "attack-Windows:command-and-control", + "attack-Network:command-and-control" + ], + "mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "mitre_platforms": [ + "macOS", + "Linux", + "Windows", + "Network" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1071/005", + "https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/", + "https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "subtechnique-of" + } + ], + "uuid": "241f9ea8-f6ae-4f38-92f5-cef5b7e539dd", + "value": "Publish/Subscribe Protocols - T1071.005" + }, { "description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.", "meta": { @@ -18526,35 +18704,38 @@ "value": "LSASS Memory - T1003.001" }, { - "description": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. ", + "description": "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.\n\nRelocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)\n\nRelocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.", "meta": { - "external_id": "T1001.003", + "external_id": "T1070.010", "kill_chain": [ - "attack-Linux:command-and-control", - "attack-Windows:command-and-control", - "attack-macOS:command-and-control" + "attack-Linux:defense-evasion", + "attack-macOS:defense-evasion", + "attack-Windows:defense-evasion", + "attack-Network:defense-evasion" ], "mitre_data_sources": [ - "Network Traffic: Network Traffic Content" + "File: File Modification" ], "mitre_platforms": [ "Linux", + "macOS", "Windows", - "macOS" + "Network" ], "refs": [ - "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", - "https://attack.mitre.org/techniques/T1001/003" + "https://attack.mitre.org/techniques/T1070/010", + "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/", + "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ] }, "related": [ { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "subtechnique-of" } ], - "uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", - "value": "Protocol Impersonation - T1001.003" + "uuid": "cc36eeae-2209-4e63-89d3-c97e19edf280", + "value": "Relocate Malware - T1070.010" }, { "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\n\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.", @@ -18801,15 +18982,14 @@ "external_id": "T1110.001", "kill_chain": [ "attack-Windows:credential-access", - "attack-Azure-AD:credential-access", - "attack-Office-365:credential-access", "attack-SaaS:credential-access", "attack-IaaS:credential-access", "attack-Linux:credential-access", "attack-macOS:credential-access", - "attack-Google-Workspace:credential-access", "attack-Containers:credential-access", - "attack-Network:credential-access" + "attack-Network:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -18817,15 +18997,14 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace", "Containers", - "Network" + "Network", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1110/001", @@ -18851,9 +19030,9 @@ "attack-Linux:credential-access", "attack-macOS:credential-access", "attack-Windows:credential-access", - "attack-Office-365:credential-access", - "attack-Azure-AD:credential-access", - "attack-Network:credential-access" + "attack-Network:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -18863,9 +19042,9 @@ "Linux", "macOS", "Windows", - "Office 365", - "Azure AD", - "Network" + "Network", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1110/002", @@ -18888,15 +19067,14 @@ "external_id": "T1110.003", "kill_chain": [ "attack-Windows:credential-access", - "attack-Azure-AD:credential-access", - "attack-Office-365:credential-access", "attack-SaaS:credential-access", "attack-IaaS:credential-access", "attack-Linux:credential-access", "attack-macOS:credential-access", - "attack-Google-Workspace:credential-access", "attack-Containers:credential-access", - "attack-Network:credential-access" + "attack-Network:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -18904,15 +19082,14 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace", "Containers", - "Network" + "Network", + "Office Suite", + "Identity Provider" ], "refs": [ "http://www.blackhillsinfosec.com/?p=4645", @@ -18936,15 +19113,14 @@ "external_id": "T1110.004", "kill_chain": [ "attack-Windows:credential-access", - "attack-Azure-AD:credential-access", - "attack-Office-365:credential-access", "attack-SaaS:credential-access", "attack-IaaS:credential-access", "attack-Linux:credential-access", "attack-macOS:credential-access", - "attack-Google-Workspace:credential-access", "attack-Containers:credential-access", - "attack-Network:credential-access" + "attack-Network:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -18952,15 +19128,14 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace", "Containers", - "Network" + "Network", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1110/004", @@ -19179,9 +19354,9 @@ "https://github.com/danielbohannon/Invoke-Obfuscation", "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand", "https://redcanary.com/threat-detection-report/techniques/powershell/", - "https://twitter.com/rfackroyd/status/1639136000755765254", "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", - "https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation" + "https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation", + "https://x.com/rfackroyd/status/1639136000755765254" ] }, "related": [ @@ -19198,21 +19373,19 @@ "meta": { "external_id": "T1021.007", "kill_chain": [ - "attack-Office-365:lateral-movement", - "attack-Azure-AD:lateral-movement", "attack-SaaS:lateral-movement", "attack-IaaS:lateral-movement", - "attack-Google-Workspace:lateral-movement" + "attack-Office-Suite:lateral-movement", + "attack-Identity-Provider:lateral-movement" ], "mitre_data_sources": [ "Logon Session: Logon Session Creation" ], "mitre_platforms": [ - "Office 365", - "Azure AD", "SaaS", "IaaS", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1021/007" @@ -19433,45 +19606,41 @@ "external_id": "T1078.001", "kill_chain": [ "attack-Windows:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", "attack-IaaS:defense-evasion", "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", - "attack-Google-Workspace:defense-evasion", "attack-Containers:defense-evasion", "attack-Network:defense-evasion", + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-Windows:persistence", - "attack-Azure-AD:persistence", - "attack-Office-365:persistence", "attack-SaaS:persistence", "attack-IaaS:persistence", "attack-Linux:persistence", "attack-macOS:persistence", - "attack-Google-Workspace:persistence", "attack-Containers:persistence", "attack-Network:persistence", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence", "attack-Windows:privilege-escalation", - "attack-Azure-AD:privilege-escalation", - "attack-Office-365:privilege-escalation", "attack-SaaS:privilege-escalation", "attack-IaaS:privilege-escalation", "attack-Linux:privilege-escalation", "attack-macOS:privilege-escalation", - "attack-Google-Workspace:privilege-escalation", "attack-Containers:privilege-escalation", "attack-Network:privilege-escalation", + "attack-Office-Suite:privilege-escalation", + "attack-Identity-Provider:privilege-escalation", "attack-Windows:initial-access", - "attack-Azure-AD:initial-access", - "attack-Office-365:initial-access", "attack-SaaS:initial-access", "attack-IaaS:initial-access", "attack-Linux:initial-access", "attack-macOS:initial-access", - "attack-Google-Workspace:initial-access", "attack-Containers:initial-access", - "attack-Network:initial-access" + "attack-Network:initial-access", + "attack-Office-Suite:initial-access", + "attack-Identity-Provider:initial-access" ], "mitre_data_sources": [ "Logon Session: Logon Session Creation", @@ -19479,15 +19648,14 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace", "Containers", - "Network" + "Network", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1078/001", @@ -19545,7 +19713,7 @@ "value": "Local Account - T1087.001" }, { - "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) \n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", + "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) \n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", "meta": { "external_id": "T1204.002", "kill_chain": [ @@ -19768,6 +19936,42 @@ "uuid": "51636761-2e35-44bf-9e56-e337adf97174", "value": "Software Packing - T1406.002" }, + { + "description": "Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)\n\nWhile local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)\n\nIn Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)\n\nMutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)", + "meta": { + "external_id": "T1480.002", + "kill_chain": [ + "attack-Windows:defense-evasion", + "attack-Linux:defense-evasion", + "attack-macOS:defense-evasion" + ], + "mitre_data_sources": [ + "File: File Creation", + "Process: OS API Execution" + ], + "mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1480/002", + "https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/", + "https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/", + "https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes", + "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game", + "https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/" + ] + }, + "related": [ + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "type": "subtechnique-of" + } + ], + "uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "value": "Mutual Exclusion - T1480.002" + }, { "description": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. \n\nAdversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. ", "meta": { @@ -19800,16 +20004,15 @@ "value": "Transport Agent - T1505.002" }, { - "description": "An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)\n\nAn adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nAn adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)", + "description": "An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)\n\nAn adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nAn adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)", "meta": { "external_id": "T1606.002", "kill_chain": [ - "attack-Azure-AD:credential-access", "attack-SaaS:credential-access", "attack-Windows:credential-access", - "attack-Office-365:credential-access", - "attack-Google-Workspace:credential-access", - "attack-IaaS:credential-access" + "attack-IaaS:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Logon Session: Logon Session Creation", @@ -19820,12 +20023,11 @@ "Web Credential: Web Credential Usage" ], "mitre_platforms": [ - "Azure AD", "SaaS", "Windows", - "Office 365", - "Google Workspace", - "IaaS" + "IaaS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1606/002", @@ -19865,9 +20067,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1027/006", "https://outflank.nl/blog/2018/08/14/html-smuggling-explained/", - "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/", "https://www.menlosecurity.com/blog/new-attack-alert-duri", - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/" ] }, "related": [ @@ -19988,7 +20190,7 @@ "value": "Domain Accounts - T1078.002" }, { - "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022) ", + "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022) ", "meta": { "external_id": "T1087.002", "kill_chain": [ @@ -20138,7 +20340,7 @@ "value": "RC Scripts - T1037.004" }, { - "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) ", + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) ", "meta": { "external_id": "T1053.005", "kill_chain": [ @@ -20163,12 +20365,14 @@ "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md", "https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen", + "https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder", "https://technet.microsoft.com/en-us/sysinternals/bb963902", "https://technet.microsoft.com/library/dd315590.aspx", - "https://twitter.com/leoloobeek/status/939248813465853953", "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", - "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain" + "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain", + "https://x.com/leoloobeek/status/939248813465853953" ] }, "related": [ @@ -20296,11 +20500,10 @@ "meta": { "external_id": "T1069.003", "kill_chain": [ - "attack-Azure-AD:discovery", - "attack-Office-365:discovery", "attack-SaaS:discovery", "attack-IaaS:discovery", - "attack-Google-Workspace:discovery" + "attack-Office-Suite:discovery", + "attack-Identity-Provider:discovery" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -20310,11 +20513,10 @@ "Process: Process Creation" ], "mitre_platforms": [ - "Azure AD", - "Office 365", "SaaS", "IaaS", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1069/003", @@ -20337,13 +20539,12 @@ "value": "Cloud Groups - T1069.003" }, { - "description": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)\n\nIn on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)\n\nIn Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)", + "description": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)\n\nIn on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)\n\nIn Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)", "meta": { "external_id": "T1087.003", "kill_chain": [ "attack-Windows:discovery", - "attack-Office-365:discovery", - "attack-Google-Workspace:discovery" + "attack-Office-Suite:discovery" ], "mitre_data_sources": [ "Command: Command Execution", @@ -20351,8 +20552,7 @@ ], "mitre_platforms": [ "Windows", - "Office 365", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1087/003", @@ -20522,26 +20722,22 @@ "meta": { "external_id": "T1078.004", "kill_chain": [ - "attack-Azure-AD:defense-evasion", - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", "attack-IaaS:defense-evasion", - "attack-Google-Workspace:defense-evasion", - "attack-Azure-AD:persistence", - "attack-Office-365:persistence", + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-SaaS:persistence", "attack-IaaS:persistence", - "attack-Google-Workspace:persistence", - "attack-Azure-AD:privilege-escalation", - "attack-Office-365:privilege-escalation", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence", "attack-SaaS:privilege-escalation", "attack-IaaS:privilege-escalation", - "attack-Google-Workspace:privilege-escalation", - "attack-Azure-AD:initial-access", - "attack-Office-365:initial-access", + "attack-Office-Suite:privilege-escalation", + "attack-Identity-Provider:privilege-escalation", "attack-SaaS:initial-access", "attack-IaaS:initial-access", - "attack-Google-Workspace:initial-access" + "attack-Office-Suite:initial-access", + "attack-Identity-Provider:initial-access" ], "mitre_data_sources": [ "Logon Session: Logon Session Creation", @@ -20549,11 +20745,10 @@ "User Account: User Account Authentication" ], "mitre_platforms": [ - "Azure AD", - "Office 365", "SaaS", "IaaS", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1078/004", @@ -20576,21 +20771,19 @@ "meta": { "external_id": "T1087.004", "kill_chain": [ - "attack-Azure-AD:discovery", - "attack-Office-365:discovery", "attack-SaaS:discovery", "attack-IaaS:discovery", - "attack-Google-Workspace:discovery" + "attack-Office-Suite:discovery", + "attack-Identity-Provider:discovery" ], "mitre_data_sources": [ "Command: Command Execution" ], "mitre_platforms": [ - "Azure AD", - "Office 365", "SaaS", "IaaS", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1087/004", @@ -20747,16 +20940,14 @@ "value": "Link Target - T1608.005" }, { - "description": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.\n\nMFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT)", + "description": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.\n\nMFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly, an adversary with existing access to a network may register a device to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Entra ID tenant by registering a large number of devices.(Citation: AADInternals - BPRT)", "meta": { "external_id": "T1098.005", "kill_chain": [ - "attack-Azure-AD:persistence", "attack-Windows:persistence", - "attack-SaaS:persistence", - "attack-Azure-AD:privilege-escalation", + "attack-Identity-Provider:persistence", "attack-Windows:privilege-escalation", - "attack-SaaS:privilege-escalation" + "attack-Identity-Provider:privilege-escalation" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Creation", @@ -20764,9 +20955,8 @@ "User Account: User Account Modification" ], "mitre_platforms": [ - "Azure AD", "Windows", - "SaaS" + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1098/005", @@ -20795,20 +20985,18 @@ "external_id": "T1059.009", "kill_chain": [ "attack-IaaS:execution", - "attack-Azure-AD:execution", - "attack-Office-365:execution", "attack-SaaS:execution", - "attack-Google-Workspace:execution" + "attack-Office-Suite:execution", + "attack-Identity-Provider:execution" ], "mitre_data_sources": [ "Command: Command Execution" ], "mitre_platforms": [ "IaaS", - "Azure AD", - "Office 365", "SaaS", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1059/009", @@ -20825,7 +21013,7 @@ "value": "Cloud API - T1059.009" }, { - "description": "Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)\n\nTo help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)\n\nAdversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)\n\nSEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)", + "description": "Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)\n\nTo help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)\n\nIn addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)\n\nAdversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)\n\nSEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)", "meta": { "external_id": "T1608.006", "kill_chain": [ @@ -20840,10 +21028,12 @@ "refs": [ "https://atlas-cybersecurity.com/cyber-threats/threat-actors-use-search-engine-optimization-tactics-to-redirect-traffic-and-install-malware/", "https://attack.mitre.org/techniques/T1608/006", + "https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/", "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://www.malwarebytes.com/blog/news/2018/05/seo-poisoning-is-it-worth-it", - "https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0" + "https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0", + "https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7" ] }, "related": [ @@ -20914,23 +21104,30 @@ "value": "Symmetric Cryptography - T1521.001" }, { - "description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.\n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ", + "description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock` may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.\n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ", "meta": { "external_id": "T1027.011", "kill_chain": [ - "attack-Windows:defense-evasion" + "attack-Windows:defense-evasion", + "attack-Linux:defense-evasion" ], "mitre_data_sources": [ + "Process: Process Creation", "WMI: WMI Creation", "Windows Registry: Windows Registry Key Creation" ], "mitre_platforms": [ - "Windows" + "Windows", + "Linux" ], "refs": [ "https://attack.mitre.org/techniques/T1027/011", "https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats", - "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/" + "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", + "https://sysdig.com/blog/containers-read-only-fileless-malware/", + "https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell", + "https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/", + "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html" ] }, "related": [ @@ -21078,7 +21275,7 @@ "value": "Control Panel - T1218.002" }, { - "description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)\n\n**Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.", + "description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)\n\n**Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.", "meta": { "external_id": "T1213.003", "kill_chain": [ @@ -21106,6 +21303,39 @@ "uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "value": "Code Repositories - T1213.003" }, + { + "description": "Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications: \n\n* Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008)) \n* Source code snippets \n* Links to network shares and other internal resources \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker 2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.(Citation: Sentinel Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)", + "meta": { + "external_id": "T1213.005", + "kill_chain": [ + "attack-SaaS:collection", + "attack-Office-Suite:collection" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "mitre_platforms": [ + "SaaS", + "Office Suite" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1213/005", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", + "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", + "https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms", + "https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/", + "https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen" + ] + }, + "related": [ + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "type": "subtechnique-of" + } + ], + "uuid": "fb75213f-cfb0-40bf-a02f-3bad93d6601e", + "value": "Messaging Applications - T1213.005" + }, { "description": "Adversaries may use [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) to protect the C2 traffic from being intercepted and analyzed.\n\n[SSL Pinning](https://attack.mitre.org/techniques/T1521/003) is a technique commonly utilized by legitimate websites to ensure that encrypted communications are only allowed with a pre-defined certificate. If another certificate is presented, it could indicate device compromise, traffic interception, or another upstream issue. While benign usages are common, it is also possible for adversaries to abuse this technology to protect malicious C2 traffic.\n\nIn normal, not pinned SSL validation, when a client connects to a server using HTTPS, it typically checks whether the server’s SSL/TLS certificate is signed by a trusted Certificate Authority (CA) in the device’s trust store. If the certificate is valid and signed by a trusted CA, the connection is established. However, with [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) , the client is configured to trust a specific SSL/TLS certificate or public key, rather than relying on the device’s trust store. This means that even if the server’s certificate is signed by a trusted CA, the client will only establish the connection of the certificate or key is pinned.\n\nThere are two types of [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) :\n\n1.\tCertificate Pinning: The client stores a copy of the server’s certificate and compares it with the certificate received during the SSL handshake. If the certificates match, then the client proceeds with the connection. This approach also works with self-signed certificates.\n\n2.\tPublic Key Pinning: Instead of pinning the entire certificate, the client pins just the public key extracted from the certificate. This is often more flexible, as it allows the server to renew its certificate without having to update the pinned certificate or breaking the SSL connection.", "meta": { @@ -21197,7 +21427,7 @@ "external_id": "T1137.002", "kill_chain": [ "attack-Windows:persistence", - "attack-Office-365:persistence" + "attack-Office-Suite:persistence" ], "mitre_data_sources": [ "Command: Command Execution", @@ -21210,7 +21440,7 @@ ], "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/", @@ -21289,6 +21519,42 @@ "uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "value": "Broadcast Receivers - T1624.001" }, + { + "description": "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)\n", + "meta": { + "external_id": "T1027.014", + "kill_chain": [ + "attack-Windows:defense-evasion", + "attack-macOS:defense-evasion", + "attack-Linux:defense-evasion" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content", + "File: File Creation", + "File: File Metadata" + ], + "mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1027/014", + "https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035", + "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware", + "https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc", + "https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "subtechnique-of" + } + ], + "uuid": "b577dfc1-0177-4522-8d5a-782127c8592b", + "value": "Polymorphic Code - T1027.014" + }, { "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", "meta": { @@ -21371,9 +21637,9 @@ "Windows" ], "refs": [ - "http://www.autosectools.com/process-hollowing.pdf", "https://attack.mitre.org/techniques/T1055/012", "https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/", + "https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf", "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode" ] @@ -21455,21 +21721,19 @@ "meta": { "external_id": "T1136.003", "kill_chain": [ - "attack-Azure-AD:persistence", - "attack-Office-365:persistence", "attack-IaaS:persistence", - "attack-Google-Workspace:persistence", - "attack-SaaS:persistence" + "attack-SaaS:persistence", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence" ], "mitre_data_sources": [ "User Account: User Account Creation" ], "mitre_platforms": [ - "Azure AD", - "Office 365", "IaaS", - "Google Workspace", - "SaaS" + "SaaS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1136/003", @@ -21524,7 +21788,7 @@ "external_id": "T1137.003", "kill_chain": [ "attack-Windows:persistence", - "attack-Office-365:persistence" + "attack-Office-Suite:persistence" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -21533,7 +21797,7 @@ ], "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1137/003", @@ -21789,7 +22053,7 @@ "external_id": "T1137.005", "kill_chain": [ "attack-Windows:persistence", - "attack-Office-365:persistence" + "attack-Office-Suite:persistence" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -21798,7 +22062,7 @@ ], "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1137/005", @@ -21955,8 +22219,8 @@ "Windows" ], "refs": [ - "http://msdn.microsoft.com/en-us/library/dd183341", "https://attack.mitre.org/techniques/T1547/010", + "https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor", "https://technet.microsoft.com/en-us/sysinternals/bb963902", "https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf" ] @@ -21994,6 +22258,51 @@ "uuid": "cc723aff-ec88-40e3-a224-5af9fd983cc4", "value": "Identify Roles - T1591.004" }, + { + "description": "Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001) is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001) and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)", + "meta": { + "external_id": "T1496.001", + "kill_chain": [ + "attack-Windows:impact", + "attack-IaaS:impact", + "attack-Linux:impact", + "attack-macOS:impact", + "attack-Containers:impact" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "File: File Creation", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation", + "Sensor Health: Host Status" + ], + "mitre_platforms": [ + "Windows", + "IaaS", + "Linux", + "macOS", + "Containers" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1496/001", + "https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc", + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", + "https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html", + "https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html" + ] + }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "type": "subtechnique-of" + } + ], + "uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "value": "Compute Hijacking - T1496.001" + }, { "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as `malware`, `sample`, or `hash`.\n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)", "meta": { @@ -22018,7 +22327,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1497/001", - "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc", + "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/" ] @@ -22089,7 +22398,7 @@ "https://attack.mitre.org/techniques/T1566/001", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", - "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" ] }, @@ -22120,9 +22429,9 @@ "https://attack.mitre.org/techniques/T1578/001", "https://cloud.google.com/compute/docs/instances/create-start-instance#api_2", "https://cloud.google.com/logging/docs/audit#admin-activity", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html", - "https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor" + "https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor", + "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" ] }, "related": [ @@ -22307,8 +22616,8 @@ "macOS" ], "refs": [ - "http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way", - "https://attack.mitre.org/techniques/T1552/003" + "https://attack.mitre.org/techniques/T1552/003", + "https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418" ] }, "related": [ @@ -22457,8 +22766,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1593/002", - "https://securitytrails.com/blog/google-hacking-techniques", - "https://www.exploit-db.com/google-hacking-database" + "https://www.exploit-db.com/google-hacking-database", + "https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks" ] }, "related": [ @@ -22497,16 +22806,14 @@ "value": "Call Log - T1636.002" }, { - "description": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \n\nAn adversary may also add a new federated identity provider to an identity tenant such as Okta, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023)", + "description": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \n\nAn adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)", "meta": { "external_id": "T1484.002", "kill_chain": [ "attack-Windows:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-SaaS:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-Windows:privilege-escalation", - "attack-Azure-AD:privilege-escalation", - "attack-SaaS:privilege-escalation" + "attack-Identity-Provider:privilege-escalation" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Creation", @@ -22516,8 +22823,7 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "SaaS" + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1484/002", @@ -22525,6 +22831,7 @@ "https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365", "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml", "https://o365blog.com/post/federation-vulnerability/", + "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://www.sygnia.co/golden-saml-advisory" @@ -22575,7 +22882,7 @@ "value": "TFTP Boot - T1542.005" }, { - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)\n\nOn network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) \n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.", + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)\n\nOn network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) \n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.", "meta": { "external_id": "T1552.004", "kill_chain": [ @@ -22598,9 +22905,9 @@ "https://aadinternals.com/post/deviceidentity/", "https://attack.mitre.org/techniques/T1552/004", "https://en.wikipedia.org/wiki/Public-key_cryptography", - "https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf", "https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token", "https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", + "https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436" ] }, @@ -22745,19 +23052,57 @@ "uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", "value": "Client Configurations - T1592.004" }, + { + "description": "Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \n\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage in internet-wide scanning in order to identify additional targets for compromise.(Citation: Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential financial costs or availability disruptions, this technique may cause reputational damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig Proxyjacking)", + "meta": { + "external_id": "T1496.002", + "kill_chain": [ + "attack-Linux:impact", + "attack-Windows:impact", + "attack-macOS:impact", + "attack-IaaS:impact", + "attack-Containers:impact" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "File: File Creation", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" + ], + "mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "IaaS", + "Containers" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1496/002", + "https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/", + "https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/", + "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + ] + }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "type": "subtechnique-of" + } + ], + "uuid": "718cb208-6446-4572-a2f0-9c799c60091e", + "value": "Bandwidth Hijacking - T1496.002" + }, { "description": "Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.\n\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)", "meta": { "external_id": "T1498.002", "kill_chain": [ "attack-Windows:impact", - "attack-Azure-AD:impact", - "attack-Office-365:impact", - "attack-SaaS:impact", "attack-IaaS:impact", "attack-Linux:impact", - "attack-macOS:impact", - "attack-Google-Workspace:impact" + "attack-macOS:impact" ], "mitre_data_sources": [ "Network Traffic: Network Traffic Flow", @@ -22765,13 +23110,9 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", - "SaaS", "IaaS", "Linux", - "macOS", - "Google Workspace" + "macOS" ], "refs": [ "https://attack.mitre.org/techniques/T1498/002", @@ -22810,9 +23151,9 @@ ], "refs": [ "http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain", - "http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way", "https://attack.mitre.org/techniques/T1555/002", "https://developer.apple.com/library/archive/documentation/Security/Conceptual/Security_Overview/Architecture/Architecture.html", + "https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418", "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" ] }, @@ -22886,17 +23227,15 @@ "meta": { "external_id": "T1552.008", "kill_chain": [ - "attack-Office-365:credential-access", "attack-SaaS:credential-access", - "attack-Google-Workspace:credential-access" + "attack-Office-Suite:credential-access" ], "mitre_data_sources": [ "Application Log: Application Log Content" ], "mitre_platforms": [ - "Office 365", "SaaS", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1552/008", @@ -23015,9 +23354,9 @@ "attack-Linux:initial-access", "attack-macOS:initial-access", "attack-Windows:initial-access", - "attack-Office-365:initial-access", "attack-SaaS:initial-access", - "attack-Google-Workspace:initial-access" + "attack-Identity-Provider:initial-access", + "attack-Office-Suite:initial-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -23028,16 +23367,16 @@ "Linux", "macOS", "Windows", - "Office 365", "SaaS", - "Google Workspace" + "Identity Provider", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1566/002", "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", "https://us-cert.cisa.gov/ncas/tips/ST05-016", - "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse", "https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/", "https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1", @@ -23162,7 +23501,7 @@ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", "https://github.com/ryhanson/phishery", "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/", - "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" ] }, "related": [ @@ -23443,6 +23782,35 @@ "uuid": "c6421411-ae61-42bb-9098-73fddb315002", "value": "SMS Messages - T1636.004" }, + { + "description": "Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)\n\nThreat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)", + "meta": { + "external_id": "T1496.003", + "kill_chain": [ + "attack-SaaS:impact" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "mitre_platforms": [ + "SaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1496/003", + "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf", + "https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud", + "https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions" + ] + }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "type": "subtechnique-of" + } + ], + "uuid": "130d4494-b2d6-4040-bcea-6e59f05222fe", + "value": "SMS Pumping - T1496.003" + }, { "description": "Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nDHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.(Citation: rfc2131) The typical server-client interaction is as follows: \n\n1. The client broadcasts a `DISCOVER` message.\n\n2. The server responds with an `OFFER` message, which includes an available network address. \n\n3. The client broadcasts a `REQUEST` message, which includes the network address offered. \n\n4. The server acknowledges with an `ACK` message and the client receives the network configuration parameters.\n\nAdversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.(Citation: new_rogue_DHCP_serv_malware)(Citation: w32.tidserv.g) Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.\n\nDHCPv6 clients can receive network configuration information without being assigned an IP address by sending a INFORMATION-REQUEST (code 11) message to the All_DHCP_Relay_Agents_and_Servers multicast address.(Citation: rfc3315) Adversaries may use their rogue DHCP server to respond to this request message with malicious network configurations.\n\nRather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e, [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)) by generating many broadcast DISCOVER messages to exhaust a network’s DHCP allocation pool. ", "meta": { @@ -23471,8 +23839,8 @@ "https://datatracker.ietf.org/doc/html/rfc3315", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800668(v=ws.11)", "https://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/", - "https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/", - "https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2" + "https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2", + "https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/" ] }, "related": [ @@ -23568,7 +23936,7 @@ "value": "Wordlist Scanning - T1595.003" }, { - "description": "Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)\n\nA variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)", + "description": "Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)\n\nA variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)", "meta": { "external_id": "T1586.003", "kill_chain": [ @@ -23580,7 +23948,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1586/003", "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/", - "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" + "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/", + "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/", + "https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/" ] }, "related": [ @@ -23717,7 +24087,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1589/003", - "https://www.opm.gov/cybersecurity/cybersecurity-incidents/" + "https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/" ] }, "related": [ @@ -23752,7 +24122,7 @@ "https://iapp.org/resources/article/web-beacon/", "https://mrd0x.com/browser-in-the-browser-phishing-attack/", "https://therecord.media/phishing-campaign-used-qr-codes-to-target-energy-firm", - "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse", "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf", @@ -23808,6 +24178,38 @@ "uuid": "fc742192-19e3-466c-9eb5-964a97b29490", "value": "Dylib Hijacking - T1574.004" }, + { + "description": "Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi network, fraudulent Wi-Fi access points may trick devices or users into connecting to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium evil twin) Adversaries may provide a stronger signal strength or block access to Wi-Fi access points to coerce or entice victim devices into connecting to malicious networks.(Citation: specter ops evil twin) A Wi-Fi Pineapple – a network security auditing and penetration testing tool – may be deployed in Evil Twin attacks for ease of use and broader range. Custom certificates may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries may also listen for client devices sending probe requests for known or previously connected networks (Preferred Network Lists or PNLs). When a malicious access point receives a probe request, adversaries can respond with the same SSID to imitate the trusted, known network.(Citation: specter ops evil twin) Victim devices are led to believe the responding access point is from their PNL and initiate a connection to the fraudulent network.\n\nUpon logging into the malicious Wi-Fi access point, a user may be directed to a fake login page or captive portal webpage to capture the victim’s credentials. Once a user is logged into the fraudulent Wi-Fi network, the adversary may able to monitor network activity, manipulate data, or steal additional credentials. Locations with high concentrations of public Wi-Fi access, such as airports, coffee shops, or libraries, may be targets for adversaries to set up illegitimate Wi-Fi access points. ", + "meta": { + "external_id": "T1557.004", + "kill_chain": [ + "attack-Network:credential-access", + "attack-Network:collection" + ], + "mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1557/004", + "https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59", + "https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee", + "https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks", + "https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/" + ] + }, + "related": [ + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "subtechnique-of" + } + ], + "uuid": "48b836c6-e4ca-435a-82a3-29c03e5b492e", + "value": "Evil Twin - T1557.004" + }, { "description": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.\n\nAdversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)", "meta": { @@ -23849,9 +24251,7 @@ "attack-Linux:initial-access", "attack-macOS:initial-access", "attack-Windows:initial-access", - "attack-Office-365:initial-access", - "attack-SaaS:initial-access", - "attack-Google-Workspace:initial-access" + "attack-Identity-Provider:initial-access" ], "mitre_data_sources": [ "Application Log: Application Log Content" @@ -23860,9 +24260,7 @@ "Linux", "macOS", "Windows", - "Office 365", - "SaaS", - "Google Workspace" + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1566/004", @@ -23954,7 +24352,7 @@ "value": "Accessibility Features - T1546.008" }, { - "description": "Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to execute malicious applications with elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).\n\nWhen an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise abuse the TCC service to execute malicious content. This can be done in various ways, including using privileged system applications to execute malicious payloads or manipulating the database to grant their application TCC permissions. \n\nFor example, adversaries can use Finder, which has FDA permissions by default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) while preventing a user prompt. For a system without System Integrity Protection (SIP) enabled, adversaries have also manipulated the operating system to load an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055)) into targeted applications with the desired TCC permissions.\n", + "description": "Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).\n\nWhen an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)\n\nAdversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)\n\n", "meta": { "external_id": "T1548.006", "kill_chain": [ @@ -24001,7 +24399,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1584/006", "https://threatconnect.com/blog/infrastructure-research-hunting/", - "https://www.recordedfuture.com/turla-apt-infrastructure/" + "https://www.recordedfuture.com/research/turla-apt-infrastructure" ] }, "related": [ @@ -24164,7 +24562,7 @@ "https://attack.mitre.org/techniques/T1588/004", "https://letsencrypt.org/docs/faq/", "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/", - "https://www.recordedfuture.com/cobalt-strike-servers/", + "https://www.recordedfuture.com/research/cobalt-strike-servers", "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html" ] }, @@ -24308,28 +24706,59 @@ "value": "Reversible Encryption - T1556.005" }, { - "description": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. \n\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Azure AD, allowing authentication to Azure AD to take place entirely in the cloud \n* Pass Through Authentication (PTA), in which Azure AD authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory \n* Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Azure AD \n\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges. \n\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.(Citation: Mandiant Azure AD Backdoors)", + "description": "\nAdversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short term storage of a user's active session credentials. The ccache file is created upon user authentication and allows for access to multiple services without the user having to re-enter credentials. \n\nThe /etc/krb5.conf configuration file and the KRB5CCNAME environment variable are used to set the storage location for ccache entries. On Linux, credentials are typically stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`. On macOS, ccache entries are stored by default in memory with an `API:{uuid}` naming scheme. Typically, users interact with ticket storage using kinit, which obtains a Ticket-Granting-Ticket (TGT) for the principal; klist, which lists obtained tickets currently held in the credentials cache; and other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored on disk and authenticate as the current user without their password to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks. Adversaries can also use these tickets to impersonate legitimate users with elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004). Tools like Kekeo can also be used by adversaries to convert ccache files to Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008). On macOS, adversaries may use open-source tools or the Kerberos framework to interact with ccache files and extract TGTs or Service Tickets via lower-level APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) ", + "meta": { + "external_id": "T1558.005", + "kill_chain": [ + "attack-Linux:credential-access", + "attack-macOS:credential-access" + ], + "mitre_data_sources": [ + "File: File Access" + ], + "mitre_platforms": [ + "Linux", + "macOS" + ], + "refs": [ + "https://adepts.of0x.cc/kerberos-thievery-linux/", + "https://attack.mitre.org/techniques/T1558/005", + "https://github.com/gentilkiwi/kekeo", + "https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf", + "https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f", + "https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/", + "https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html" + ] + }, + "related": [ + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "subtechnique-of" + } + ], + "uuid": "394220d9-8efc-4252-9040-664f7b115be6", + "value": "Ccache Files - T1558.005" + }, + { + "description": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. \n\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud \n* Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory \n* Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID \n\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges. \n\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)", "meta": { "external_id": "T1556.007", "kill_chain": [ "attack-Windows:credential-access", - "attack-Azure-AD:credential-access", "attack-SaaS:credential-access", - "attack-Google-Workspace:credential-access", - "attack-Office-365:credential-access", "attack-IaaS:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access", "attack-Windows:defense-evasion", - "attack-Azure-AD:defense-evasion", "attack-SaaS:defense-evasion", - "attack-Google-Workspace:defense-evasion", - "attack-Office-365:defense-evasion", "attack-IaaS:defense-evasion", + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-Windows:persistence", - "attack-Azure-AD:persistence", "attack-SaaS:persistence", - "attack-Google-Workspace:persistence", - "attack-Office-365:persistence", - "attack-IaaS:persistence" + "attack-IaaS:persistence", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -24339,11 +24768,10 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", "SaaS", - "Google Workspace", - "Office 365", - "IaaS" + "IaaS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1556/007", @@ -24399,7 +24827,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1588/007", - "https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors", + "https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/", "https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/" ] }, @@ -24700,6 +25128,37 @@ "uuid": "da051493-ae9c-4b1b-9760-c009c46c9b56", "value": "Installer Packages - T1546.016" }, + { + "description": "Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)\n\nAdversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)", + "meta": { + "external_id": "T1546.017", + "kill_chain": [ + "attack-Linux:persistence", + "attack-Linux:privilege-escalation" + ], + "mitre_data_sources": [ + "File: File Modification", + "Process: Process Creation" + ], + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1546/017", + "https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/", + "https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms" + ] + }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "type": "subtechnique-of" + } + ], + "uuid": "f4c3f644-ab33-433d-8648-75cc03a95792", + "value": "Udev Rules - T1546.017" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1270).\n\nPersonnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator. (Citation: RSA-APTRecon)", "meta": { @@ -24881,7 +25340,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1497", - "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc", + "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit", "https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" ] }, @@ -25142,8 +25601,7 @@ "attack-Windows:defense-evasion", "attack-Containers:defense-evasion", "attack-Network:defense-evasion", - "attack-Office-365:defense-evasion", - "attack-Google-Workspace:defense-evasion" + "attack-Office-Suite:defense-evasion" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -25167,8 +25625,7 @@ "Windows", "Containers", "Network", - "Office 365", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1070" @@ -25241,15 +25698,14 @@ "external_id": "T1110", "kill_chain": [ "attack-Windows:credential-access", - "attack-Azure-AD:credential-access", - "attack-Office-365:credential-access", "attack-SaaS:credential-access", "attack-IaaS:credential-access", "attack-Linux:credential-access", "attack-macOS:credential-access", - "attack-Google-Workspace:credential-access", "attack-Containers:credential-access", - "attack-Network:credential-access" + "attack-Network:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -25258,15 +25714,14 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace", "Containers", - "Network" + "Network", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1110", @@ -25343,7 +25798,7 @@ "value": "Remote Services - T1021" }, { - "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", "meta": { "external_id": "T1102", "kill_chain": [ @@ -25363,7 +25818,8 @@ ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", - "https://attack.mitre.org/techniques/T1102" + "https://attack.mitre.org/techniques/T1102", + "https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication" ] }, "uuid": "830c9528-df21-472c-8c14-a036bf17d665", @@ -25582,13 +26038,13 @@ "Linux" ], "refs": [ - "http://msdn.microsoft.com/en-us/library/ms682425", "https://attack.mitre.org/techniques/T1106", "https://developer.apple.com/documentation/coreservices", "https://developer.apple.com/documentation/foundation", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1", "https://docs.microsoft.com/en-us/windows/win32/api/", "https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework", + "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa", "https://man7.org/linux/man-pages//man7/libc.7.html", "https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/", "https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls", @@ -25698,28 +26154,28 @@ "external_id": "T1108", "kill_chain": [ "attack-Windows:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", "attack-IaaS:defense-evasion", "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-Windows:persistence", - "attack-Azure-AD:persistence", - "attack-Office-365:persistence", "attack-SaaS:persistence", "attack-IaaS:persistence", "attack-Linux:persistence", - "attack-macOS:persistence" + "attack-macOS:persistence", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence" ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", - "macOS" + "macOS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1108", @@ -25885,7 +26341,7 @@ "value": "Broadcast Receivers - T1402" }, { - "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)\n\nFor example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)", + "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as:\n\n* Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary\n* Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)\n* Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)\n* Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)\n\nFor example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)", "meta": { "external_id": "T1204", "kill_chain": [ @@ -25919,7 +26375,9 @@ "https://attack.mitre.org/techniques/T1204", "https://blog.talosintelligence.com/roblox-scam-overview/", "https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/", - "https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery" + "https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery", + "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn", + "https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/" ] }, "uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", @@ -26402,15 +26860,15 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1074", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" + "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" ] }, "uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "value": "Data Staged - T1074" }, { - "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", + "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.\n\nAdversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)", "meta": { "external_id": "T1480", "kill_chain": [ @@ -26430,7 +26888,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1480", "https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/", - "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html" + "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html", + "https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/" ] }, "uuid": "853c4192-4311-43e1-bfbb-b11b14911852", @@ -26598,13 +27057,12 @@ "external_id": "T1087", "kill_chain": [ "attack-Windows:discovery", - "attack-Azure-AD:discovery", - "attack-Office-365:discovery", "attack-SaaS:discovery", "attack-IaaS:discovery", "attack-Linux:discovery", "attack-macOS:discovery", - "attack-Google-Workspace:discovery" + "attack-Office-Suite:discovery", + "attack-Identity-Provider:discovery" ], "mitre_data_sources": [ "Command: Command Execution", @@ -26613,13 +27071,12 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1087", @@ -26637,45 +27094,41 @@ "external_id": "T1078", "kill_chain": [ "attack-Windows:defense-evasion", - "attack-Azure-AD:defense-evasion", - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", "attack-IaaS:defense-evasion", "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", - "attack-Google-Workspace:defense-evasion", "attack-Containers:defense-evasion", "attack-Network:defense-evasion", + "attack-Office-Suite:defense-evasion", + "attack-Identity-Provider:defense-evasion", "attack-Windows:persistence", - "attack-Azure-AD:persistence", - "attack-Office-365:persistence", "attack-SaaS:persistence", "attack-IaaS:persistence", "attack-Linux:persistence", "attack-macOS:persistence", - "attack-Google-Workspace:persistence", "attack-Containers:persistence", "attack-Network:persistence", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence", "attack-Windows:privilege-escalation", - "attack-Azure-AD:privilege-escalation", - "attack-Office-365:privilege-escalation", "attack-SaaS:privilege-escalation", "attack-IaaS:privilege-escalation", "attack-Linux:privilege-escalation", "attack-macOS:privilege-escalation", - "attack-Google-Workspace:privilege-escalation", "attack-Containers:privilege-escalation", "attack-Network:privilege-escalation", + "attack-Office-Suite:privilege-escalation", + "attack-Identity-Provider:privilege-escalation", "attack-Windows:initial-access", - "attack-Azure-AD:initial-access", - "attack-Office-365:initial-access", "attack-SaaS:initial-access", "attack-IaaS:initial-access", "attack-Linux:initial-access", "attack-macOS:initial-access", - "attack-Google-Workspace:initial-access", "attack-Containers:initial-access", - "attack-Network:initial-access" + "attack-Network:initial-access", + "attack-Office-Suite:initial-access", + "attack-Identity-Provider:initial-access" ], "mitre_data_sources": [ "Logon Session: Logon Session Creation", @@ -26684,15 +27137,14 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace", "Containers", - "Network" + "Network", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1078", @@ -26743,25 +27195,23 @@ "external_id": "T1098", "kill_chain": [ "attack-Windows:persistence", - "attack-Azure-AD:persistence", - "attack-Office-365:persistence", "attack-IaaS:persistence", "attack-Linux:persistence", "attack-macOS:persistence", - "attack-Google-Workspace:persistence", "attack-SaaS:persistence", "attack-Network:persistence", "attack-Containers:persistence", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence", "attack-Windows:privilege-escalation", - "attack-Azure-AD:privilege-escalation", - "attack-Office-365:privilege-escalation", "attack-IaaS:privilege-escalation", "attack-Linux:privilege-escalation", "attack-macOS:privilege-escalation", - "attack-Google-Workspace:privilege-escalation", "attack-SaaS:privilege-escalation", "attack-Network:privilege-escalation", - "attack-Containers:privilege-escalation" + "attack-Containers:privilege-escalation", + "attack-Office-Suite:privilege-escalation", + "attack-Identity-Provider:privilege-escalation" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Modification", @@ -26773,15 +27223,14 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "IaaS", "Linux", "macOS", - "Google Workspace", "SaaS", "Network", - "Containers" + "Containers", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1098", @@ -26903,15 +27352,14 @@ "value": "Dynamic DNS - T1311" }, { - "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. ", + "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients. ", "meta": { "external_id": "T1114", "kill_chain": [ "attack-Windows:collection", - "attack-Office-365:collection", - "attack-Google-Workspace:collection", "attack-macOS:collection", - "attack-Linux:collection" + "attack-Linux:collection", + "attack-Office-Suite:collection" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -26922,14 +27370,15 @@ ], "mitre_platforms": [ "Windows", - "Office 365", - "Google Workspace", "macOS", - "Linux" + "Linux", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1114", - "https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/" + "https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/", + "https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a" ] }, "uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", @@ -27100,19 +27549,22 @@ "attack-macOS:collection", "attack-Windows:collection", "attack-IaaS:collection", - "attack-SaaS:collection" + "attack-SaaS:collection", + "attack-Office-Suite:collection" ], "mitre_data_sources": [ "Command: Command Execution", "File: File Access", - "Script: Script Execution" + "Script: Script Execution", + "User Account: User Account Authentication" ], "mitre_platforms": [ "Linux", "macOS", "Windows", "IaaS", - "SaaS" + "SaaS", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1119", @@ -27497,15 +27949,14 @@ "external_id": "T1136", "kill_chain": [ "attack-Windows:persistence", - "attack-Azure-AD:persistence", - "attack-Office-365:persistence", "attack-IaaS:persistence", "attack-Linux:persistence", "attack-macOS:persistence", - "attack-Google-Workspace:persistence", "attack-Network:persistence", "attack-Containers:persistence", - "attack-SaaS:persistence" + "attack-SaaS:persistence", + "attack-Office-Suite:persistence", + "attack-Identity-Provider:persistence" ], "mitre_data_sources": [ "Command: Command Execution", @@ -27514,15 +27965,14 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "IaaS", "Linux", "macOS", - "Google Workspace", "Network", "Containers", - "SaaS" + "SaaS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1136", @@ -27694,12 +28144,12 @@ "iOS" ], "refs": [ - "http://saschafahl.de/static/paper/pwmanagers2013.pdf", "https://attack.mitre.org/techniques/T1414", "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data", "https://developer.apple.com/documentation/uikit/uipasteboard", "https://github.com/grepx/android-clipboard-security", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html" + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html", + "https://saschafahl.de/static/paper/pwmanagers2013.pdf" ] }, "uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", @@ -28227,8 +28677,8 @@ "https://en.wikipedia.org/wiki/Browser_extension", "https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/", "https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)", - "https://kjaer.io/extension-malware/", "https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf", + "https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/", "https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/", "https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses", "https://www.microsoft.com/en-us/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/", @@ -28424,7 +28874,8 @@ "attack-IaaS:initial-access", "attack-Linux:initial-access", "attack-macOS:initial-access", - "attack-Office-365:initial-access" + "attack-Identity-Provider:initial-access", + "attack-Office-Suite:initial-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -28438,7 +28889,8 @@ "IaaS", "Linux", "macOS", - "Office 365" + "Identity Provider", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1199", @@ -28564,15 +29016,14 @@ "external_id": "T1552", "kill_chain": [ "attack-Windows:credential-access", - "attack-Azure-AD:credential-access", - "attack-Office-365:credential-access", "attack-SaaS:credential-access", "attack-IaaS:credential-access", "attack-Linux:credential-access", "attack-macOS:credential-access", - "attack-Google-Workspace:credential-access", "attack-Containers:credential-access", - "attack-Network:credential-access" + "attack-Network:credential-access", + "attack-Office-Suite:credential-access", + "attack-Identity-Provider:credential-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -28584,15 +29035,14 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", "SaaS", "IaaS", "Linux", "macOS", - "Google Workspace", "Containers", - "Network" + "Network", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/techniques/T1552", @@ -28603,17 +29053,18 @@ "value": "Unsecured Credentials - T1552" }, { - "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.", + "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)\n\n", "meta": { "external_id": "T1562", "kill_chain": [ "attack-Windows:defense-evasion", - "attack-Office-365:defense-evasion", "attack-IaaS:defense-evasion", "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", "attack-Containers:defense-evasion", - "attack-Network:defense-evasion" + "attack-Network:defense-evasion", + "attack-Identity-Provider:defense-evasion", + "attack-Office-Suite:defense-evasion" ], "mitre_data_sources": [ "Cloud Service: Cloud Service Disable", @@ -28637,15 +29088,17 @@ ], "mitre_platforms": [ "Windows", - "Office 365", "IaaS", "Linux", "macOS", "Containers", - "Network" + "Network", + "Identity Provider", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1562", + "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/" ] }, @@ -28653,7 +29106,7 @@ "value": "Impair Defenses - T1562" }, { - "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. ", + "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. ", "meta": { "external_id": "T1572", "kill_chain": [ @@ -28833,9 +29286,8 @@ "attack-Windows:lateral-movement", "attack-macOS:lateral-movement", "attack-Linux:lateral-movement", - "attack-Office-365:lateral-movement", "attack-SaaS:lateral-movement", - "attack-Google-Workspace:lateral-movement" + "attack-Office-Suite:lateral-movement" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -28846,9 +29298,8 @@ "Windows", "macOS", "Linux", - "Office 365", "SaaS", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1534", @@ -29028,7 +29479,7 @@ "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", "attack-Windows:defense-evasion", - "attack-Office-365:defense-evasion" + "attack-Office-Suite:defense-evasion" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -29049,7 +29500,7 @@ "Linux", "macOS", "Windows", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1564", @@ -29063,7 +29514,7 @@ "value": "Hide Artifacts - T1564" }, { - "description": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).\n\nHost binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)\n\nAdversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.", + "description": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).\n\nHost binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)\n\nAdversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.\n\nIn addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)", "meta": { "external_id": "T1654", "kill_chain": [ @@ -29086,6 +29537,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1654", "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf", + "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/", "https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial", "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ] @@ -29129,7 +29581,7 @@ "value": "Compromise Infrastructure - T1584" }, { - "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\n\nIn cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\n\nIn cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)", "meta": { "external_id": "T1485", "kill_chain": [ @@ -29141,6 +29593,7 @@ ], "mitre_data_sources": [ "Cloud Storage: Cloud Storage Deletion", + "Cloud Storage: Cloud Storage Modification", "Command: Command Execution", "File: File Deletion", "File: File Modification", @@ -29203,13 +29656,13 @@ "value": "Firmware Corruption - T1495" }, { - "description": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. \n\nAdversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation: Cado Security Denonia) Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to a serverless cloud function, which may then be able to perform actions the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Rhingo Security Labs GCP Privilege Escalation)\n\nServerless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.(Citation: Backdooring an AWS account) Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)", + "description": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. \n\nAdversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation: Cado Security Denonia) Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to a serverless cloud function, which may then be able to perform actions the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Rhingo Security Labs GCP Privilege Escalation)\n\nServerless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.(Citation: Backdooring an AWS account) This is also possible in many cloud-based office application suites. For example, in Microsoft 365 environments, an adversary may create a Power Automate workflow that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace environments, they may instead create an Apps Script that exfiltrates a user's data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation: OWN-CERT Google App Script 2024)", "meta": { "external_id": "T1648", "kill_chain": [ "attack-SaaS:execution", "attack-IaaS:execution", - "attack-Office-365:execution" + "attack-Office-Suite:execution" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -29218,15 +29671,17 @@ "mitre_platforms": [ "SaaS", "IaaS", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1648", + "https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts", "https://medium.com/daniel-grzelak/backdooring-an-aws-account-da007d36f8f9", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/", "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/", "https://www.microsoft.com/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team", + "https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis", "https://www.varonis.com/blog/power-automate-data-exfiltration" ] }, @@ -29234,7 +29689,7 @@ "value": "Serverless Execution - T1648" }, { - "description": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)", + "description": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \n\nResource hijacking may take a number of different forms. For example, adversaries may:\n\n* Leverage compute resources in order to mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate SMS traffic for profit\n* Abuse cloud-based messaging services to send large quantities of spam messages\n\nIn some cases, adversaries may leverage multiple types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking 2023)", "meta": { "external_id": "T1496", "kill_chain": [ @@ -29242,9 +29697,12 @@ "attack-IaaS:impact", "attack-Linux:impact", "attack-macOS:impact", - "attack-Containers:impact" + "attack-Containers:impact", + "attack-SaaS:impact" ], "mitre_data_sources": [ + "Application Log: Application Log Content", + "Cloud Service: Cloud Service Modification", "Command: Command Execution", "File: File Creation", "Network Traffic: Network Connection Creation", @@ -29258,24 +29716,19 @@ "IaaS", "Linux", "macOS", - "Containers" + "Containers", + "SaaS" ], "refs": [ "https://attack.mitre.org/techniques/T1496", - "https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc", - "https://securelist.com/lazarus-under-the-hood/77908/", - "https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/", - "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", - "https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html", - "https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html", - "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + "https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/" ] }, "uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "value": "Resource Hijacking - T1496" }, { - "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)", + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.(Citation: Novetta Blockbuster) In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)", "meta": { "external_id": "T1489", "kill_chain": [ @@ -29453,9 +29906,8 @@ "attack-Linux:impact", "attack-macOS:impact", "attack-Windows:impact", - "attack-Office-365:impact", "attack-SaaS:impact", - "attack-Google-Workspace:impact" + "attack-Office-Suite:impact" ], "mitre_data_sources": [ "Application Log: Application Log Content" @@ -29464,9 +29916,8 @@ "Linux", "macOS", "Windows", - "Office 365", "SaaS", - "Google Workspace" + "Office Suite" ], "refs": [ "https://apnews.com/article/russia-ukraine-technology-business-europe-hacking-ce7a8aca506742ab8e8873e7f9f229c2", @@ -29650,7 +30101,7 @@ "https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop", "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html", "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", - "https://www.recordedfuture.com/cobalt-strike-servers/", + "https://www.recordedfuture.com/research/cobalt-strike-servers", "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html" ] }, @@ -29734,7 +30185,7 @@ "external_id": "T1137.006", "kill_chain": [ "attack-Windows:persistence", - "attack-Office-365:persistence" + "attack-Office-Suite:persistence" ], "mitre_data_sources": [ "Command: Command Execution", @@ -29746,7 +30197,7 @@ ], "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1137/006", @@ -29875,6 +30326,7 @@ "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/", "https://adsecurity.org/?p=1729", "https://attack.mitre.org/techniques/T1003/006", + "https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/", "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM", "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump", "https://msdn.microsoft.com/library/cc228086.aspx", @@ -29895,7 +30347,7 @@ "value": "DCSync - T1003.006" }, { - "description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)", + "description": "Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.\n\nBoth the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)\n\nModifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)\n\nAdversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)", "meta": { "external_id": "T1070.006", "kill_chain": [ @@ -29904,8 +30356,10 @@ "attack-Windows:defense-evasion" ], "mitre_data_sources": [ + "Command: Command Execution", "File: File Metadata", - "File: File Modification" + "File: File Modification", + "Process: OS API Execution" ], "mitre_platforms": [ "Linux", @@ -29914,7 +30368,10 @@ ], "refs": [ "http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html", - "https://attack.mitre.org/techniques/T1070/006" + "https://attack.mitre.org/techniques/T1070/006", + "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html", + "https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/", + "https://x.com/matthewdunwoody/status/1519846657646604289" ] }, "related": [ @@ -29977,13 +30434,13 @@ "Windows" ], "refs": [ - "http://lists.openstack.org/pipermail/openstack/2013-December/004138.html", "https://attack.mitre.org/techniques/T1021/005", "https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2", "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207", "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in", "https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication", "https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc", + "https://lists.openstack.org/pipermail/openstack/2013-December/004138.html", "https://pentestlab.blog/2012/10/30/attacking-vnc-servers/", "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins", "https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac", @@ -30122,7 +30579,7 @@ "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf", "https://attack.mitre.org/techniques/T1059/001", "https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/", - "https://github.com/jaredhaight/PSAttack", + "https://github.com/Exploit-install/PSAttack-1", "https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/", "https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx", "https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367", @@ -30140,7 +30597,7 @@ "value": "PowerShell - T1059.001" }, { - "description": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.\n\nOn Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)\n\nAdversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).\n\nIn Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)", + "description": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)\n\nOn Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)\n\nAdversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).\n\nIn Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)", "meta": { "external_id": "T1053.002", "kill_chain": [ @@ -30174,8 +30631,9 @@ "https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen", "https://technet.microsoft.com/en-us/sysinternals/bb963902", "https://technet.microsoft.com/library/dd315590.aspx", - "https://twitter.com/leoloobeek/status/939248813465853953", - "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/" + "https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe", + "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/", + "https://x.com/leoloobeek/status/939248813465853953" ] }, "related": [ @@ -30252,7 +30710,7 @@ "value": "AppleScript - T1059.002" }, { - "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).\n\nAdversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)", "meta": { "external_id": "T1590.002", "kill_chain": [ @@ -30264,8 +30722,11 @@ "refs": [ "https://attack.mitre.org/techniques/T1590/002", "https://dnsdumpster.com/", - "https://twitter.com/PyroTek3/status/1126487227712921600/photo/1", - "https://www.circl.lu/services/passive-dns/" + "https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/", + "https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds", + "https://www.circl.lu/services/passive-dns/", + "https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information", + "https://x.com/PyroTek3/status/1126487227712921600" ] }, "related": [ @@ -30448,7 +30909,7 @@ "value": "Regsvr32 - T1218.010" }, { - "description": "\nAdversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n", + "description": "\nAdversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n", "meta": { "external_id": "T1213.001", "kill_chain": [ @@ -30565,20 +31026,60 @@ "value": "Keylogging - T1417.001" }, { - "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n", + "description": "Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).(Citation: Lua main page)(Citation: Lua state)\n\nLua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)", + "meta": { + "external_id": "T1059.011", + "kill_chain": [ + "attack-Linux:execution", + "attack-macOS:execution", + "attack-Windows:execution", + "attack-Network:execution" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Script: Script Execution" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1059/011", + "https://blog.talosintelligence.com/poetrat-update/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf", + "https://pgl.yoyo.org/luai/i/lua_State", + "https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/", + "https://www.lua.org/start.html", + "https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "subtechnique-of" + } + ], + "uuid": "afddee82-3385-4682-ad90-eeced33f2d07", + "value": "Lua - T1059.011" + }, + { + "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n", "meta": { "external_id": "T1213.002", "kill_chain": [ "attack-Windows:collection", - "attack-Office-365:collection" + "attack-Office-Suite:collection" ], "mitre_data_sources": [ "Application Log: Application Log Content", + "Cloud Service: Cloud Service Metadata", "Logon Session: Logon Session Creation" ], "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1213/002", @@ -30615,9 +31116,9 @@ "https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/", "https://securelist.com/bluenoroff-methods-bypass-motw/108383/", "https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html", - "https://twitter.com/monoxgas/status/895045566090010624", "https://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/", - "https://www.trellix.com/en-ca/about/newsroom/stories/research/suspected-darkhotel-apt-activity-update/" + "https://www.trellix.com/en-ca/about/newsroom/stories/research/suspected-darkhotel-apt-activity-update/", + "https://x.com/monoxgas/status/895045566090010624" ] }, "related": [ @@ -30629,6 +31130,41 @@ "uuid": "e6f19759-dde3-47fc-99cc-d9f5fa4ade60", "value": "SyncAppvPublishingServer - T1216.002" }, + { + "description": "Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)\n\nBecause ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.\n\nClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)\n\nAdversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)\n\nAdditionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)", + "meta": { + "external_id": "T1127.002", + "kill_chain": [ + "attack-Windows:defense-evasion" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Module: Module Load", + "Process: Process Creation", + "Process: Process Metadata" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1127/002", + "https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894", + "https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894", + "https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022", + "https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/", + "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", + "https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/" + ] + }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "type": "subtechnique-of" + } + ], + "uuid": "cc279e50-df85-4c8e-be80-6dc2eda8849c", + "value": "ClickOnce - T1127.002" + }, { "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)", "meta": { @@ -30650,8 +31186,8 @@ "https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)", "https://github.com/api0cradle/UltimateAppLockerByPassList", "https://msitpros.com/?p=3960", - "https://twitter.com/ItsReallyNick/status/958789644165894146", - "https://twitter.com/NickTyrer/status/958450014111633408" + "https://x.com/ItsReallyNick/status/958789644165894146", + "https://x.com/NickTyrer/status/958450014111633408" ] }, "related": [ @@ -30875,7 +31411,7 @@ "value": "Keychain - T1634.001" }, { - "description": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \"IDN homograph attacks,\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)\n\nDifferent URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\n\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", + "description": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \"IDN homograph attacks,\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)\n\nDifferent URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\n\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)\n\nIn addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)", "meta": { "external_id": "T1583.001", "kill_chain": [ @@ -30906,6 +31442,7 @@ "https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/", "https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me", "https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/", "https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits", "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" @@ -30921,7 +31458,7 @@ "value": "Domains - T1583.001" }, { - "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)\n\nAdversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022)", + "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)\n\nAdversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022)", "meta": { "external_id": "T1584.001", "kill_chain": [ @@ -30969,12 +31506,12 @@ "macOS" ], "refs": [ - "http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way", "https://attack.mitre.org/techniques/T1555/001", "https://developer.apple.com/documentation/security/keychain_services", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py", "https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption", - "https://www.netmeister.org/blog/keychain-passwords.html" + "https://www.netmeister.org/blog/keychain-passwords.html", + "https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418" ] }, "related": [ @@ -30987,7 +31524,7 @@ "value": "Keychain - T1555.001" }, { - "description": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.\n\nList-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a SysListView32 control.\n\nListPlanting (a form of message-passing \"shatter attack\") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the SysListView32 child of the victim process window (via Windows API calls such as FindWindow and/or EnumWindows) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods.\n\nSome variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored WriteProcessMemory function. For example, an adversary can use the PostMessage and/or SendMessage API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020) \n\nFinally, the payload is triggered by sending the LVM_SORTITEMS message to the SysListView32 child of the process window, with the payload within the newly allocated buffer passed and executed as the ListView_SortItems callback.", + "description": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process.(Citation: Hexacorn Listplanting) Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.\n\nList-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a SysListView32 control.\n\nListPlanting (a form of message-passing \"shatter attack\") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the SysListView32 child of the victim process window (via Windows API calls such as FindWindow and/or EnumWindows) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods.\n\nSome variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored WriteProcessMemory function. For example, an adversary can use the PostMessage and/or SendMessage API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020) \n\nFinally, the payload is triggered by sending the LVM_SORTITEMS message to the SysListView32 child of the process window, with the payload within the newly allocated buffer passed and executed as the ListView_SortItems callback.", "meta": { "external_id": "T1055.015", "kill_chain": [ @@ -31005,6 +31542,7 @@ "https://attack.mitre.org/techniques/T1055/015", "https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview", "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/", + "https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" ] }, @@ -31110,7 +31648,7 @@ "value": "Malware - T1588.001" }, { - "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). ", + "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nCredential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.). Adversaries may purchase credentials from dark web markets, such as Russian Market and 2easy, or through access to Telegram channels that distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy 2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer Stealer Logs 2023)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). ", "meta": { "external_id": "T1589.001", "kill_chain": [ @@ -31126,8 +31664,11 @@ "https://github.com/michenriksen/gitrob", "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/", "https://sec.okta.com/scatterswine", + "https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/", + "https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/", "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196", + "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/", "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/" ] @@ -31327,7 +31868,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1588/002", "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", - "https://www.recordedfuture.com/identifying-cobalt-strike-servers/" + "https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers" ] }, "related": [ @@ -31416,12 +31957,12 @@ "refs": [ "https://adsecurity.org/?p=2293", "https://attack.mitre.org/techniques/T1558/003", + "https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/", "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1", "https://msdn.microsoft.com/library/ms677949.aspx", "https://redsiege.com/kerberoast-slides", - "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx", - "https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/" + "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx" ] }, "related": [ @@ -31434,7 +31975,7 @@ "value": "Kerberoasting - T1558.003" }, { - "description": "Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.\n\nOnce acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)", + "description": "Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.\n\nOnce acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)", "meta": { "external_id": "T1583.007", "kill_chain": [ @@ -31450,7 +31991,8 @@ "https://attack.mitre.org/techniques/T1583/007", "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/", "https://blog.xpnsec.com/aws-lambda-redirector/", - "https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/" + "https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/", + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette" ] }, "related": [ @@ -31635,7 +32177,7 @@ "value": "Exploits - T1587.004" }, { - "description": "Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. \n\nOnce compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)", + "description": "Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. \n\nOnce compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)", "meta": { "external_id": "T1584.007", "kill_chain": [ @@ -31651,7 +32193,8 @@ "https://attack.mitre.org/techniques/T1584/007", "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/", "https://blog.xpnsec.com/aws-lambda-redirector/", - "https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/" + "https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/", + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette" ] }, "related": [ @@ -31716,7 +32259,7 @@ "value": "Vulnerabilities - T1588.006" }, { - "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).\n\nAdditionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) ", + "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002) can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).\n\nAdditionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) ", "meta": { "external_id": "T1218.011", "kill_chain": [ @@ -31734,9 +32277,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1218/011", "https://github.com/gtworek/PSBits/tree/master/NoRunDll", - "https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/", "https://www.attackify.com/blog/rundll32_execution_order/", "https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/", + "https://www.stormshield.com/news/poweliks-command-line-confusion/", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" ] }, @@ -32260,7 +32803,8 @@ "Scheduled Job: Scheduled Job Metadata", "Scheduled Job: Scheduled Job Modification", "Service: Service Creation", - "Service: Service Metadata" + "Service: Service Metadata", + "User Account: User Account Creation" ], "mitre_platforms": [ "Linux", @@ -32271,8 +32815,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1036", "https://lolbas-project.github.io/", - "https://twitter.com/ItsReallyNick/status/1055321652777619457", - "https://www.elastic.co/blog/how-hunt-masquerade-ball" + "https://www.elastic.co/blog/how-hunt-masquerade-ball", + "https://x.com/ItsReallyNick/status/1055321652777619457" ] }, "uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", @@ -32873,9 +33417,8 @@ "attack-Linux:defense-evasion", "attack-macOS:defense-evasion", "attack-Windows:defense-evasion", - "attack-Office-365:defense-evasion", "attack-SaaS:defense-evasion", - "attack-Google-Workspace:defense-evasion" + "attack-Office-Suite:defense-evasion" ], "mitre_data_sources": [ "Application Log: Application Log Content" @@ -32884,9 +33427,8 @@ "Linux", "macOS", "Windows", - "Office 365", "SaaS", - "Google Workspace" + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1656", @@ -32898,7 +33440,7 @@ "value": "Impersonation - T1656" }, { - "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)", + "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., \"thread hijacking\").(Citation: phishing-krebs)\n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)", "meta": { "external_id": "T1566", "kill_chain": [ @@ -32906,8 +33448,8 @@ "attack-macOS:initial-access", "attack-Windows:initial-access", "attack-SaaS:initial-access", - "attack-Office-365:initial-access", - "attack-Google-Workspace:initial-access" + "attack-Identity-Provider:initial-access", + "attack-Office-Suite:initial-access" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -32920,18 +33462,19 @@ "macOS", "Windows", "SaaS", - "Office 365", - "Google Workspace" + "Identity Provider", + "Office Suite" ], "refs": [ "https://attack.mitre.org/techniques/T1566", "https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends", "https://blog.sygnia.co/luna-moth-false-subscription-scams", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/", "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/", "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/", + "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa23-025a", - "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://www.proofpoint.com/us/threat-reference/email-spoofing" ] @@ -32967,5 +33510,5 @@ "value": "Keychain - T1579" } ], - "version": 30 + "version": 31 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index 3fa2948..eca41a9 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -222,6 +222,10 @@ "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "mitigates" }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "mitigates" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "mitigates" @@ -234,6 +238,10 @@ "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "mitigates" }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "mitigates" + }, { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "mitigates" @@ -266,6 +274,10 @@ "dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213", "type": "mitigates" }, + { + "dest-uuid": "cc279e50-df85-4c8e-be80-6dc2eda8849c", + "type": "mitigates" + }, { "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", "type": "mitigates" @@ -777,6 +789,10 @@ "dest-uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", "type": "mitigates" }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "mitigates" + }, { "dest-uuid": "4d2a5b3e-340d-4600-9123-309dd63c9bf8", "type": "mitigates" @@ -837,6 +853,10 @@ "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "mitigates" }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "mitigates" + }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "mitigates" @@ -1586,6 +1606,10 @@ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "mitigates" }, + { + "dest-uuid": "b577dfc1-0177-4522-8d5a-782127c8592b", + "type": "mitigates" + }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "mitigates" @@ -2664,6 +2688,49 @@ "uuid": "337172b1-b003-4034-8a3f-1d89a71da628", "value": "Runtime Data Manipulation Mitigation - T1494" }, + { + "description": "Establish secure out-of-band communication channels to ensure the continuity of critical communications during security incidents, data integrity attacks, or in-network communication failures. Out-of-band communication refers to using an alternative, separate communication path that is not dependent on the potentially compromised primary network infrastructure. This method can include secure messaging apps, encrypted phone lines, satellite communications, or dedicated emergency communication systems. Leveraging these alternative channels reduces the risk of adversaries intercepting, disrupting, or tampering with sensitive communications and helps coordinate an effective incident response.(Citation: TrustedSec OOB Communications)(Citation: NIST Special Publication 800-53 Revision 5)", + "meta": { + "external_id": "M1060", + "refs": [ + "https://attack.mitre.org/mitigations/M1060", + "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", + "https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response" + ] + }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "type": "mitigates" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "type": "mitigates" + }, + { + "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", + "type": "mitigates" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "type": "mitigates" + }, + { + "dest-uuid": "fb75213f-cfb0-40bf-a02f-3bad93d6601e", + "type": "mitigates" + } + ], + "uuid": "80a0e940-f683-4fbd-ac00-e9f935f2f808", + "value": "Out-of-Band Communications Channel - M1060" + }, { "description": "Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)\n\nUse host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)(Citation: Microsoft SMB Packet Signing)", "meta": { @@ -2693,6 +2760,10 @@ "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "mitigates" }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "mitigates" + }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "mitigates" @@ -2717,6 +2788,10 @@ "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "type": "mitigates" }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "mitigates" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "mitigates" @@ -2765,6 +2840,10 @@ "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "mitigates" }, + { + "dest-uuid": "cc279e50-df85-4c8e-be80-6dc2eda8849c", + "type": "mitigates" + }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "mitigates" @@ -2788,6 +2867,10 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "mitigates" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "type": "mitigates" } ], "uuid": "21da4fd4-27ad-4e9c-b93d-0b9b14d02c96", @@ -3176,6 +3259,10 @@ "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "type": "mitigates" }, + { + "dest-uuid": "130d4494-b2d6-4040-bcea-6e59f05222fe", + "type": "mitigates" + }, { "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", "type": "mitigates" @@ -3304,6 +3391,10 @@ "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "mitigates" }, + { + "dest-uuid": "241f9ea8-f6ae-4f38-92f5-cef5b7e539dd", + "type": "mitigates" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "mitigates" @@ -3324,6 +3415,10 @@ "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "mitigates" }, + { + "dest-uuid": "48b836c6-e4ca-435a-82a3-29c03e5b492e", + "type": "mitigates" + }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "mitigates" @@ -3634,6 +3729,10 @@ "dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27", "type": "mitigates" }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "type": "mitigates" + }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "mitigates" @@ -3655,7 +3754,7 @@ "value": "Encrypt Sensitive Information - M1041" }, { - "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "description": "Implement robust Active Directory configurations using group policies to control access and reduce the attack surface. Specific examples include:\n\n* Account Configuration: Use provisioned domain accounts rather than local accounts to leverage centralized control and auditing capabilities.\n* Interactive Logon Restrictions: Enforce group policies that prohibit interactive logons for accounts that should not directly access systems.\n* Remote Desktop Settings: Limit Remote Desktop logons to authorized accounts to prevent misuse by adversaries.\n* Dedicated Administrative Accounts: Create specialized domain-wide accounts that are restricted from interactive logons but can perform specific tasks like installations or repository access.\n* Authentication Silos: Configure Authentication Silos in Active Directory to create access zones with restrictions based on membership in the Protected Users global security group. This setup enhances security by applying additional protections to high-risk accounts, limiting their exposure to potential attacks.", "meta": { "external_id": "M1015", "refs": [ @@ -3842,6 +3941,14 @@ "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", "type": "mitigates" }, + { + "dest-uuid": "0ce73446-8722-4086-9d43-514f1d0f669e", + "type": "mitigates" + }, + { + "dest-uuid": "1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4", + "type": "mitigates" + }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "type": "mitigates" @@ -3862,6 +3969,10 @@ "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "mitigates" }, + { + "dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee", + "type": "mitigates" + }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "mitigates" @@ -3886,6 +3997,14 @@ "dest-uuid": "2de47683-f398-448f-b947-9abcc3e32fad", "type": "mitigates" }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "mitigates" + }, + { + "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", + "type": "mitigates" + }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "mitigates" @@ -3906,6 +4025,14 @@ "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "type": "mitigates" }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "mitigates" + }, { "dest-uuid": "45241b9e-9bbc-4826-a2cc-78855e51ca09", "type": "mitigates" @@ -3950,6 +4077,10 @@ "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", "type": "mitigates" }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "mitigates" + }, { "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", "type": "mitigates" @@ -4122,6 +4253,14 @@ "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", "type": "mitigates" }, + { + "dest-uuid": "bbfbb096-6561-4d7d-aa2c-a5ee8e44c696", + "type": "mitigates" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "mitigates" + }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "mitigates" @@ -4154,10 +4293,18 @@ "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "mitigates" }, + { + "dest-uuid": "d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0", + "type": "mitigates" + }, { "dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb", "type": "mitigates" }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "type": "mitigates" + }, { "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", "type": "mitigates" @@ -4218,10 +4365,18 @@ "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "mitigates" }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "mitigates" + }, { "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", "type": "mitigates" }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "mitigates" + }, { "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", "type": "mitigates" @@ -5310,10 +5465,18 @@ "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", "type": "mitigates" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "mitigates" + }, { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "mitigates" }, + { + "dest-uuid": "afddee82-3385-4682-ad90-eeced33f2d07", + "type": "mitigates" + }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "mitigates" @@ -5347,6 +5510,14 @@ "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "mitigates" }, + { + "dest-uuid": "394220d9-8efc-4252-9040-664f7b115be6", + "type": "mitigates" + }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "mitigates" + }, { "dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de", "type": "mitigates" @@ -5477,6 +5648,10 @@ "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "mitigates" }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "mitigates" + }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "mitigates" @@ -5497,6 +5672,14 @@ "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", "type": "mitigates" }, + { + "dest-uuid": "e848506b-8484-4410-8017-3d235a52f5b3", + "type": "mitigates" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "type": "mitigates" + }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "mitigates" @@ -5550,6 +5733,10 @@ "dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3", "type": "mitigates" }, + { + "dest-uuid": "241f9ea8-f6ae-4f38-92f5-cef5b7e539dd", + "type": "mitigates" + }, { "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", "type": "mitigates" @@ -5827,6 +6014,10 @@ ] }, "related": [ + { + "dest-uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "type": "mitigates" + }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "mitigates" @@ -5865,6 +6056,10 @@ "dest-uuid": "43f2776f-b4bd-4118-94b8-fee47e69676d", "type": "mitigates" }, + { + "dest-uuid": "7c46b364-8496-4234-8a56-f7e6727e21e1", + "type": "mitigates" + }, { "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", "type": "mitigates" @@ -6599,6 +6794,10 @@ "dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f", "type": "mitigates" }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "mitigates" + }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "mitigates" @@ -6651,6 +6850,10 @@ "dest-uuid": "ae7f3575-0a5e-427e-991b-fe03ad44c754", "type": "mitigates" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "mitigates" + }, { "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", "type": "mitigates" @@ -6683,6 +6886,10 @@ "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "mitigates" }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "type": "mitigates" + }, { "dest-uuid": "d4b96d2c-1032-4b22-9235-2b5b649d0605", "type": "mitigates" @@ -6714,6 +6921,10 @@ { "dest-uuid": "fc74ba38-dc98-461f-8611-b3dbf9978e3d", "type": "mitigates" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "mitigates" } ], "uuid": "b045d015-6bed-4490-bd38-56b41ece59a0", @@ -7442,6 +7653,10 @@ "dest-uuid": "0ad7bc5c-235a-4048-944b-3b286676cb74", "type": "mitigates" }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "mitigates" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "mitigates" @@ -7494,6 +7709,10 @@ "dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", "type": "mitigates" }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "mitigates" + }, { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "type": "mitigates" @@ -7542,6 +7761,10 @@ "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "mitigates" }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "mitigates" + }, { "dest-uuid": "bf147104-abf9-4221-95d1-e81585859441", "type": "mitigates" @@ -7562,10 +7785,6 @@ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "mitigates" }, - { - "dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb", - "type": "mitigates" - }, { "dest-uuid": "ee7ff928-801c-4f34-8a99-3df965e581a5", "type": "mitigates" @@ -7680,6 +7899,10 @@ "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "mitigates" }, + { + "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", + "type": "mitigates" + }, { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "type": "mitigates" @@ -7692,10 +7915,18 @@ "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "type": "mitigates" }, + { + "dest-uuid": "48b836c6-e4ca-435a-82a3-29c03e5b492e", + "type": "mitigates" + }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "mitigates" }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "mitigates" + }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "mitigates" @@ -7768,6 +7999,10 @@ "dest-uuid": "bb5e59c4-abe7-40c7-8196-e373cb1e5974", "type": "mitigates" }, + { + "dest-uuid": "bbfbb096-6561-4d7d-aa2c-a5ee8e44c696", + "type": "mitigates" + }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "mitigates" @@ -7792,6 +8027,10 @@ "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "mitigates" }, + { + "dest-uuid": "d4b96d2c-1032-4b22-9235-2b5b649d0605", + "type": "mitigates" + }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "mitigates" @@ -7823,6 +8062,10 @@ { "dest-uuid": "f870408c-b1cd-49c7-a5c7-0ef0fc496cc6", "type": "mitigates" + }, + { + "dest-uuid": "fb75213f-cfb0-40bf-a02f-3bad93d6601e", + "type": "mitigates" } ], "uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", @@ -8027,6 +8270,10 @@ "dest-uuid": "b8017880-4b1e-42de-ad10-ae7ac6705166", "type": "mitigates" }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "mitigates" + }, { "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", "type": "mitigates" @@ -8105,6 +8352,10 @@ "dest-uuid": "0cfe31a7-81fc-472c-bc45-e2808d1066a3", "type": "mitigates" }, + { + "dest-uuid": "1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4", + "type": "mitigates" + }, { "dest-uuid": "1988cc35-ced8-4dad-b2d1-7628488fa967", "type": "mitigates" @@ -8255,6 +8506,10 @@ "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "type": "mitigates" }, + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "type": "mitigates" + }, { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "type": "mitigates" @@ -8355,6 +8610,10 @@ "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "type": "mitigates" }, + { + "dest-uuid": "afddee82-3385-4682-ad90-eeced33f2d07", + "type": "mitigates" + }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "mitigates" @@ -8460,10 +8719,18 @@ "dest-uuid": "0ad7bc5c-235a-4048-944b-3b286676cb74", "type": "mitigates" }, + { + "dest-uuid": "0ce73446-8722-4086-9d43-514f1d0f669e", + "type": "mitigates" + }, { "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", "type": "mitigates" }, + { + "dest-uuid": "0ff59227-8aa8-4c09-bf1f-925605bd07ea", + "type": "mitigates" + }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "type": "mitigates" @@ -8548,6 +8815,10 @@ "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", "type": "mitigates" }, + { + "dest-uuid": "bbfbb096-6561-4d7d-aa2c-a5ee8e44c696", + "type": "mitigates" + }, { "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", "type": "mitigates" @@ -8560,6 +8831,10 @@ "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", "type": "mitigates" }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "type": "mitigates" + }, { "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", "type": "mitigates" @@ -8649,6 +8924,10 @@ "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "mitigates" }, + { + "dest-uuid": "cc279e50-df85-4c8e-be80-6dc2eda8849c", + "type": "mitigates" + }, { "dest-uuid": "d245808a-7086-4310-984a-a84aaaa43f8f", "type": "mitigates" @@ -8974,10 +9253,6 @@ "dest-uuid": "0dda99f0-4701-48ca-9774-8504922e92d3", "type": "mitigates" }, - { - "dest-uuid": "0ff59227-8aa8-4c09-bf1f-925605bd07ea", - "type": "mitigates" - }, { "dest-uuid": "149b477f-f364-4824-b1b5-aa1d56115869", "type": "mitigates" @@ -9351,6 +9626,10 @@ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "mitigates" }, + { + "dest-uuid": "b577dfc1-0177-4522-8d5a-782127c8592b", + "type": "mitigates" + }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "mitigates" @@ -9498,6 +9777,10 @@ "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", "type": "mitigates" }, + { + "dest-uuid": "0ce73446-8722-4086-9d43-514f1d0f669e", + "type": "mitigates" + }, { "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", "type": "mitigates" @@ -9510,6 +9793,10 @@ "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", "type": "mitigates" }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "mitigates" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "mitigates" @@ -9542,6 +9829,10 @@ "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "mitigates" }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "mitigates" + }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "mitigates" @@ -9570,6 +9861,10 @@ "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "type": "mitigates" }, + { + "dest-uuid": "394220d9-8efc-4252-9040-664f7b115be6", + "type": "mitigates" + }, { "dest-uuid": "3986e7fd-a8e9-4ecb-bfc6-55920855912b", "type": "mitigates" @@ -9582,6 +9877,10 @@ "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", "type": "mitigates" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "mitigates" + }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "type": "mitigates" @@ -9658,6 +9957,10 @@ "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", "type": "mitigates" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "mitigates" + }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "mitigates" @@ -9738,6 +10041,10 @@ "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "type": "mitigates" }, + { + "dest-uuid": "afddee82-3385-4682-ad90-eeced33f2d07", + "type": "mitigates" + }, { "dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec", "type": "mitigates" @@ -9754,6 +10061,10 @@ "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "type": "mitigates" }, + { + "dest-uuid": "bbfbb096-6561-4d7d-aa2c-a5ee8e44c696", + "type": "mitigates" + }, { "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", "type": "mitigates" @@ -9778,6 +10089,10 @@ "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "mitigates" }, + { + "dest-uuid": "d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0", + "type": "mitigates" + }, { "dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb", "type": "mitigates" @@ -9818,14 +10133,22 @@ "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "type": "mitigates" }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "mitigates" + }, { "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", "type": "mitigates" + }, + { + "dest-uuid": "fb75213f-cfb0-40bf-a02f-3bad93d6601e", + "type": "mitigates" } ], "uuid": "cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", "value": "Audit - M1047" } ], - "version": 29 + "version": 30 } diff --git a/clusters/mitre-data-component.json b/clusters/mitre-data-component.json index 34621e8..6d8549d 100644 --- a/clusters/mitre-data-component.json +++ b/clusters/mitre-data-component.json @@ -65,6 +65,10 @@ "dest-uuid": "7decb26c-715c-40cf-b7e0-026f7d7cc215", "type": "detects" }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "detects" + }, { "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", "type": "detects" @@ -183,6 +187,10 @@ "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "type": "detects" }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "type": "detects" + }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "detects" @@ -721,6 +729,10 @@ "dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2", "type": "detects" }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "detects" + }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "detects" @@ -847,6 +859,10 @@ "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "detects" }, + { + "dest-uuid": "130d4494-b2d6-4040-bcea-6e59f05222fe", + "type": "detects" + }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "detects" @@ -1003,6 +1019,10 @@ "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "type": "detects" }, + { + "dest-uuid": "924d273c-be0d-4d8d-af58-2dddb15ef1e2", + "type": "detects" + }, { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "detects" @@ -1063,6 +1083,10 @@ "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", "type": "detects" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "detects" + }, { "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", "type": "detects" @@ -1071,10 +1095,18 @@ "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "detects" }, + { + "dest-uuid": "b577dfc1-0177-4522-8d5a-782127c8592b", + "type": "detects" + }, { "dest-uuid": "bb5e59c4-abe7-40c7-8196-e373cb1e5974", "type": "detects" }, + { + "dest-uuid": "bbfbb096-6561-4d7d-aa2c-a5ee8e44c696", + "type": "detects" + }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "detects" @@ -1099,6 +1131,10 @@ "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", "type": "detects" }, + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "type": "detects" + }, { "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "type": "detects" @@ -1155,6 +1191,10 @@ "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", "type": "detects" }, + { + "dest-uuid": "fb75213f-cfb0-40bf-a02f-3bad93d6601e", + "type": "detects" + }, { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "type": "detects" @@ -1199,6 +1239,10 @@ "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "type": "detects" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "detects" + }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "detects" @@ -1215,6 +1259,10 @@ "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", "type": "detects" }, + { + "dest-uuid": "d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0", + "type": "detects" + }, { "dest-uuid": "deb22295-7e37-4a3b-ac6f-c86666fbe63d", "type": "included-in" @@ -1407,6 +1455,10 @@ "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "type": "detects" }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "type": "detects" + }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "detects" @@ -1415,6 +1467,10 @@ "dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06", "type": "detects" }, + { + "dest-uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "type": "detects" + }, { "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "type": "detects" @@ -1719,6 +1775,10 @@ "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "type": "detects" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "detects" + }, { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "type": "detects" @@ -1927,6 +1987,10 @@ "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "detects" }, + { + "dest-uuid": "718cb208-6446-4572-a2f0-9c799c60091e", + "type": "detects" + }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "detects" @@ -1999,6 +2063,10 @@ "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "detects" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "detects" + }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "detects" @@ -2383,6 +2451,10 @@ "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "detects" }, + { + "dest-uuid": "bbfbb096-6561-4d7d-aa2c-a5ee8e44c696", + "type": "detects" + }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "detects" @@ -2403,6 +2475,10 @@ "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", "type": "detects" }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "type": "detects" + }, { "dest-uuid": "e49920b0-6c54-40c1-9571-73723653205f", "type": "detects" @@ -2455,10 +2531,22 @@ "refs": [] }, "related": [ + { + "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", + "type": "detects" + }, { "dest-uuid": "144e007b-e638-431d-a894-45d90c54ab90", "type": "detects" }, + { + "dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7", + "type": "detects" + }, + { + "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", + "type": "detects" + }, { "dest-uuid": "b33d36e3-d7ea-4895-8eed-19a08a8f7c4f", "type": "included-in" @@ -2473,6 +2561,10 @@ "refs": [] }, "related": [ + { + "dest-uuid": "1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4", + "type": "detects" + }, { "dest-uuid": "45977f14-1bcc-4ec4-ac14-a30fd3a11f44", "type": "included-in" @@ -2481,6 +2573,10 @@ "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "detects" }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "type": "detects" + }, { "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", "type": "detects" @@ -2495,10 +2591,18 @@ "refs": [] }, "related": [ + { + "dest-uuid": "0ce73446-8722-4086-9d43-514f1d0f669e", + "type": "detects" + }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "type": "detects" }, + { + "dest-uuid": "924d273c-be0d-4d8d-af58-2dddb15ef1e2", + "type": "detects" + }, { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "type": "detects" @@ -2511,6 +2615,10 @@ "dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d", "type": "detects" }, + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "type": "detects" + }, { "dest-uuid": "ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae", "type": "detects" @@ -2589,6 +2697,10 @@ "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", "type": "detects" }, + { + "dest-uuid": "241f9ea8-f6ae-4f38-92f5-cef5b7e539dd", + "type": "detects" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "detects" @@ -2649,6 +2761,10 @@ "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "detects" }, + { + "dest-uuid": "48b836c6-e4ca-435a-82a3-29c03e5b492e", + "type": "detects" + }, { "dest-uuid": "4d2a5b3e-340d-4600-9123-309dd63c9bf8", "type": "detects" @@ -2725,6 +2841,10 @@ "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "detects" }, + { + "dest-uuid": "718cb208-6446-4572-a2f0-9c799c60091e", + "type": "detects" + }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "detects" @@ -2817,6 +2937,10 @@ "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "type": "detects" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "detects" + }, { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "type": "detects" @@ -2937,6 +3061,10 @@ "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "detects" }, + { + "dest-uuid": "db8f5003-3b20-48f0-9b76-123e44208120", + "type": "detects" + }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "detects" @@ -3127,6 +3255,10 @@ "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "detects" }, + { + "dest-uuid": "241f9ea8-f6ae-4f38-92f5-cef5b7e539dd", + "type": "detects" + }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "detects" @@ -3179,6 +3311,10 @@ "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "detects" }, + { + "dest-uuid": "48b836c6-e4ca-435a-82a3-29c03e5b492e", + "type": "detects" + }, { "dest-uuid": "4d2a5b3e-340d-4600-9123-309dd63c9bf8", "type": "detects" @@ -3255,6 +3391,10 @@ "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "detects" }, + { + "dest-uuid": "718cb208-6446-4572-a2f0-9c799c60091e", + "type": "detects" + }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "detects" @@ -3331,6 +3471,10 @@ "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "type": "detects" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "detects" + }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "detects" @@ -3367,6 +3511,10 @@ "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "detects" }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "detects" + }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "detects" @@ -3963,6 +4111,10 @@ "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "detects" }, + { + "dest-uuid": "394220d9-8efc-4252-9040-664f7b115be6", + "type": "detects" + }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "detects" @@ -4669,6 +4821,10 @@ "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "type": "detects" }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "type": "detects" + }, { "dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06", "type": "detects" @@ -4861,6 +5017,10 @@ "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "type": "detects" }, + { + "dest-uuid": "718cb208-6446-4572-a2f0-9c799c60091e", + "type": "detects" + }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "type": "detects" @@ -5081,6 +5241,10 @@ "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "detects" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "detects" + }, { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "type": "detects" @@ -5109,6 +5273,10 @@ "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "type": "detects" }, + { + "dest-uuid": "afddee82-3385-4682-ad90-eeced33f2d07", + "type": "detects" + }, { "dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec", "type": "detects" @@ -5233,6 +5401,10 @@ "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "detects" }, + { + "dest-uuid": "cc279e50-df85-4c8e-be80-6dc2eda8849c", + "type": "detects" + }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "detects" @@ -5619,6 +5791,10 @@ "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "type": "detects" }, + { + "dest-uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "type": "detects" + }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "detects" @@ -5667,6 +5843,10 @@ "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "type": "detects" }, + { + "dest-uuid": "718cb208-6446-4572-a2f0-9c799c60091e", + "type": "detects" + }, { "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", "type": "detects" @@ -5731,6 +5911,10 @@ "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "detects" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "detects" + }, { "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", "type": "detects" @@ -5755,6 +5939,10 @@ "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", "type": "detects" }, + { + "dest-uuid": "b577dfc1-0177-4522-8d5a-782127c8592b", + "type": "detects" + }, { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "type": "detects" @@ -6137,6 +6325,10 @@ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "detects" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "type": "detects" + }, { "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", "type": "detects" @@ -6613,6 +6805,10 @@ "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "type": "detects" }, + { + "dest-uuid": "718cb208-6446-4572-a2f0-9c799c60091e", + "type": "detects" + }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "type": "detects" @@ -6777,6 +6973,10 @@ "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "detects" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "detects" + }, { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "type": "detects" @@ -6925,6 +7125,10 @@ "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "detects" }, + { + "dest-uuid": "cc279e50-df85-4c8e-be80-6dc2eda8849c", + "type": "detects" + }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "detects" @@ -7077,6 +7281,10 @@ "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "detects" }, + { + "dest-uuid": "f4c3f644-ab33-433d-8648-75cc03a95792", + "type": "detects" + }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "detects" @@ -8029,6 +8237,10 @@ "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "type": "detects" }, + { + "dest-uuid": "afddee82-3385-4682-ad90-eeced33f2d07", + "type": "detects" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "detects" @@ -8251,6 +8463,10 @@ "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "detects" }, + { + "dest-uuid": "b577dfc1-0177-4522-8d5a-782127c8592b", + "type": "detects" + }, { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "type": "detects" @@ -8687,6 +8903,10 @@ "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "detects" }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "detects" + }, { "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", "type": "detects" @@ -8703,6 +8923,10 @@ "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "detects" }, + { + "dest-uuid": "cc36eeae-2209-4e63-89d3-c97e19edf280", + "type": "detects" + }, { "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", "type": "detects" @@ -8791,6 +9015,10 @@ "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "type": "detects" }, + { + "dest-uuid": "f4c3f644-ab33-433d-8648-75cc03a95792", + "type": "detects" + }, { "dest-uuid": "fa44a152-ac48-441e-a524-dd7b04b8adcd", "type": "detects" @@ -8941,6 +9169,10 @@ "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "type": "detects" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "detects" + }, { "dest-uuid": "a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "type": "detects" @@ -9331,6 +9563,10 @@ "dest-uuid": "c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "type": "included-in" }, + { + "dest-uuid": "cc279e50-df85-4c8e-be80-6dc2eda8849c", + "type": "detects" + }, { "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", "type": "detects" @@ -9375,6 +9611,10 @@ "dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490", "type": "detects" }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "type": "detects" + }, { "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", "type": "detects" @@ -9487,6 +9727,10 @@ "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "detects" }, + { + "dest-uuid": "cc279e50-df85-4c8e-be80-6dc2eda8849c", + "type": "detects" + }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "detects" @@ -9502,6 +9746,10 @@ { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "detects" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "type": "detects" } ], "uuid": "ee575f4a-2d4f-48f6-b18b-89067760adc1", @@ -10252,5 +10500,5 @@ "value": "System Settings" } ], - "version": 2 + "version": 3 } diff --git a/clusters/mitre-data-source.json b/clusters/mitre-data-source.json index e0820f8..6ac52fe 100644 --- a/clusters/mitre-data-source.json +++ b/clusters/mitre-data-source.json @@ -57,15 +57,14 @@ "meta": { "external_id": "DS0002", "mitre_platforms": [ - "Azure AD", "Containers", - "Google Workspace", "IaaS", "Linux", - "Office 365", "SaaS", "Windows", - "macOS" + "macOS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/datasources/DS0002" @@ -157,13 +156,12 @@ "meta": { "external_id": "DS0006", "mitre_platforms": [ - "Azure AD", - "Google Workspace", "Linux", - "Office 365", "SaaS", "Windows", - "macOS" + "macOS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/datasources/DS0006", @@ -250,13 +248,12 @@ "meta": { "external_id": "DS0015", "mitre_platforms": [ - "Google Workspace", "IaaS", "Linux", - "Office 365", "SaaS", "Windows", - "macOS" + "macOS", + "Office Suite" ], "refs": [ "https://attack.mitre.org/datasources/DS0015", @@ -362,11 +359,10 @@ "meta": { "external_id": "DS0025", "mitre_platforms": [ - "Azure AD", - "Google Workspace", "IaaS", - "Office 365", - "SaaS" + "SaaS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/datasources/DS0025", @@ -400,8 +396,8 @@ "meta": { "external_id": "DS0026", "mitre_platforms": [ - "Azure AD", - "Windows" + "Windows", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/datasources/DS0026", @@ -438,14 +434,13 @@ "meta": { "external_id": "DS0028", "mitre_platforms": [ - "Azure AD", - "Google Workspace", "IaaS", "Linux", - "Office 365", "SaaS", "Windows", - "macOS" + "macOS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/datasources/DS0028", @@ -990,14 +985,13 @@ "meta": { "external_id": "DS0018", "mitre_platforms": [ - "Azure AD", - "Google Workspace", "IaaS", "Linux", - "Office 365", "SaaS", "Windows", - "macOS" + "macOS", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/datasources/DS0018", @@ -1205,12 +1199,11 @@ "meta": { "external_id": "DS0036", "mitre_platforms": [ - "Azure AD", - "Google Workspace", "IaaS", - "Office 365", "SaaS", - "Windows" + "Windows", + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/datasources/DS0036", @@ -1255,5 +1248,5 @@ "value": "Certificate - DS0037" } ], - "version": 2 + "version": 3 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 198ac48..aff1e23 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -1677,44 +1677,110 @@ "value": "Wizard Spider - G0102" }, { - "description": "[Ember Bear](https://attack.mitre.org/groups/G1003) is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess [Ember Bear](https://attack.mitre.org/groups/G1003) likely conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) ", + "description": "[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](https://attack.mitre.org/groups/G1003) conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether [Ember Bear](https://attack.mitre.org/groups/G1003) overlaps with another Russian-linked entity referred to as [Saint Bear](https://attack.mitre.org/groups/G1031). At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "meta": { "external_id": "G1003", "refs": [ "https://attack.mitre.org/groups/G1003", "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/", + "https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf", "https://www.crowdstrike.com/blog/who-is-ember-bear/", - "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" + "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ "Ember Bear", - "Saint Bear", "UNC2589", - "UAC-0056", - "Lorec53", - "Lorec Bear", - "Bleeding Bear" + "Bleeding Bear", + "DEV-0586", + "Cadet Blizzard", + "Frozenvista", + "UAC-0056" ] }, "related": [ { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { - "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "dest-uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2", "type": "uses" }, { - "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", "type": "uses" }, { - "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "type": "uses" + }, + { + "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", + "type": "uses" + }, + { + "dest-uuid": "0cfe31a7-81fc-472c-bc45-e2808d1066a3", + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "type": "uses" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "uses" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "type": "uses" + }, + { + "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "uses" + }, + { + "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", "type": "uses" }, { @@ -1722,7 +1788,19 @@ "type": "uses" }, { - "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "uses" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "uses" + }, + { + "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { @@ -1730,7 +1808,27 @@ "type": "uses" }, { - "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "type": "uses" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "uses" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { @@ -1738,7 +1836,19 @@ "type": "uses" }, { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", + "type": "uses" + }, + { + "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", + "type": "uses" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "uses" + }, + { + "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", "type": "uses" }, { @@ -1746,7 +1856,19 @@ "type": "uses" }, { - "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "uses" + }, + { + "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", + "type": "uses" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { @@ -1754,7 +1876,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { @@ -1762,31 +1884,51 @@ "type": "uses" }, { - "dest-uuid": "c113230f-f044-423b-af63-9b63c802f5ae", + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { - "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { - "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", "type": "uses" }, { - "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { - "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "dest-uuid": "db8f5003-3b20-48f0-9b76-123e44208120", + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "type": "uses" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "uses" + }, + { + "dest-uuid": "f4b843c1-7e92-4701-8fed-ce82f8be2636", + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], @@ -1861,7 +2003,7 @@ "https://attack.mitre.org/groups/G1006", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", - "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan", + "https://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" ], "synonyms": [ @@ -2191,6 +2333,10 @@ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, + { + "dest-uuid": "36dd807e-b5bc-4c3e-91ed-80682360148c", + "type": "uses" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" @@ -2223,6 +2369,10 @@ "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" @@ -2231,10 +2381,6 @@ "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -3211,11 +3357,12 @@ "meta": { "external_id": "G0034", "refs": [ - "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html", + "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html", "https://attack.mitre.org/groups/G0034", "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", + "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/", "https://www.dragos.com/resource/electrum/", "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", @@ -3237,10 +3384,15 @@ "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", - "FROZENBARENTS" + "FROZENBARENTS", + "APT44" ] }, "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" @@ -3309,6 +3461,10 @@ "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be", "type": "uses" }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "type": "uses" + }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" @@ -3361,10 +3517,18 @@ "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" @@ -3373,6 +3537,14 @@ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, + { + "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", + "type": "uses" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "type": "uses" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" @@ -3393,6 +3565,10 @@ "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", "type": "uses" }, + { + "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", + "type": "uses" + }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" @@ -3425,6 +3601,10 @@ "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337", "type": "uses" }, + { + "dest-uuid": "6108f800-10b8-4090-944e-be579f01263d", + "type": "uses" + }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" @@ -3445,6 +3625,10 @@ "dest-uuid": "6ee2dc99-91ad-4534-a7d8-a649358c331f", "type": "uses" }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "type": "uses" + }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" @@ -3493,6 +3677,10 @@ "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, + { + "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", + "type": "uses" + }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" @@ -3569,6 +3757,10 @@ "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, + { + "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", + "type": "uses" + }, { "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", "type": "uses" @@ -3620,6 +3812,10 @@ ], "type": "similar" }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "type": "uses" + }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" @@ -3864,6 +4060,10 @@ "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, + { + "dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6", + "type": "uses" + }, { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "type": "uses" @@ -3924,6 +4124,10 @@ "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, + { + "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" @@ -3940,6 +4144,10 @@ "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "type": "uses" + }, { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "type": "uses" @@ -3956,6 +4164,10 @@ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, + { + "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", + "type": "uses" + }, { "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", "type": "uses" @@ -3964,10 +4176,18 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "type": "uses" + }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "uses" + }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" @@ -3989,11 +4209,11 @@ "type": "uses" }, { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "type": "uses" }, { - "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { @@ -4023,6 +4243,14 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + }, + { + "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", + "type": "uses" } ], "uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", @@ -4174,6 +4402,10 @@ "dest-uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4", "type": "uses" }, + { + "dest-uuid": "36dd807e-b5bc-4c3e-91ed-80682360148c", + "type": "uses" + }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "uses" @@ -4190,6 +4422,10 @@ "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" @@ -4331,10 +4567,6 @@ ], "type": "similar" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "type": "uses" - }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" @@ -4410,6 +4642,10 @@ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, + { + "dest-uuid": "d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0", + "type": "uses" + }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" @@ -4865,6 +5101,108 @@ "uuid": "8b1e16f6-e7c8-4b7a-a5df-f81232c13e2f", "value": "Cinnamon Tempest - G1021" }, + { + "description": "[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, [Saint Bot](https://attack.mitre.org/software/S1018), and information stealer, [OutSteel](https://attack.mitre.org/software/S1017) in campaigns. [Saint Bear](https://attack.mitre.org/groups/G1031) typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor) [Saint Bear](https://attack.mitre.org/groups/G1031) has previously been confused with [Ember Bear](https://attack.mitre.org/groups/G1003) operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.", + "meta": { + "external_id": "G1031", + "refs": [ + "https://attack.mitre.org/groups/G1031", + "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" + ], + "synonyms": [ + "Saint Bear", + "Storm-0587", + "TA471", + "UAC-0056", + "Lorec53" + ] + }, + "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "uses" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "type": "uses" + }, + { + "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "uses" + }, + { + "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "uses" + }, + { + "dest-uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b", + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "type": "uses" + }, + { + "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "uses" + }, + { + "dest-uuid": "c113230f-f044-423b-af63-9b63c802f5ae", + "type": "uses" + }, + { + "dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + } + ], + "uuid": "674582ec-51c4-42ce-b409-797239e37a2a", + "value": "Saint Bear - G1031" + }, { "description": "[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)", "meta": { @@ -5080,6 +5418,10 @@ "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "type": "uses" + }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" @@ -5220,6 +5562,10 @@ "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, + { + "dest-uuid": "fb75213f-cfb0-40bf-a02f-3bad93d6601e", + "type": "uses" + }, { "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", "type": "uses" @@ -5415,10 +5761,6 @@ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", - "type": "uses" - }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" @@ -5443,6 +5785,10 @@ "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, + { + "dest-uuid": "fb75213f-cfb0-40bf-a02f-3bad93d6601e", + "type": "uses" + }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" @@ -5452,18 +5798,24 @@ "value": "Fox Kitten - G0117" }, { - "description": "[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://attack.mitre.org/groups/G1017) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)", + "description": "[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)", "meta": { "external_id": "G1017", "refs": [ "https://attack.mitre.org/groups/G1017", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", + "https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" ], "synonyms": [ "Volt Typhoon", - "BRONZE SILHOUETTE" + "BRONZE SILHOUETTE", + "Vanguard Panda", + "DEV-0391", + "UNC3236", + "Voltzite", + "Insidious Taurus" ] }, "related": [ @@ -5475,6 +5827,10 @@ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" @@ -5483,14 +5839,46 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "uses" + }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, + { + "dest-uuid": "0a6ec267-83a9-41a5-98c7-57c3ff81e11f", + "type": "uses" + }, + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "uses" + }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "type": "uses" + }, { "dest-uuid": "149b477f-f364-4824-b1b5-aa1d56115869", "type": "uses" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "type": "uses" + }, + { + "dest-uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26", + "type": "uses" + }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" @@ -5511,6 +5899,10 @@ "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "uses" + }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" @@ -5527,18 +5919,42 @@ "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, + { + "dest-uuid": "2b5aa86b-a0df-4382-848d-30abea443327", + "type": "uses" + }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "type": "uses" + }, + { + "dest-uuid": "34ab90a3-05f6-4259-8f21-621081fdaba5", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, + { + "dest-uuid": "36dd807e-b5bc-4c3e-91ed-80682360148c", + "type": "uses" + }, { "dest-uuid": "3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc", "type": "uses" }, + { + "dest-uuid": "39cc9f64-cf74-4a48-a4d8-fe98c54a02e0", + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" @@ -5551,10 +5967,34 @@ "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "uses" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "type": "uses" + }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "uses" + }, + { + "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "uses" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "uses" + }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "type": "uses" @@ -5563,10 +6003,30 @@ "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "type": "uses" + }, + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "type": "uses" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "type": "uses" + }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, + { + "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", + "type": "uses" + }, + { + "dest-uuid": "6c2957f9-502a-478c-b1dd-d626c0659413", + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" @@ -5575,6 +6035,10 @@ "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "type": "uses" @@ -5587,6 +6051,10 @@ "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, + { + "dest-uuid": "810d8072-afb6-4a56-9ee7-86379ac4a6f3", + "type": "uses" + }, { "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", "type": "uses" @@ -5595,6 +6063,10 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, + { + "dest-uuid": "937e4772-8441-4e4a-8bf0-8d447d667e23", + "type": "uses" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" @@ -5603,22 +6075,54 @@ "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", "type": "uses" }, + { + "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", + "type": "uses" + }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, + { + "dest-uuid": "a0e6614a-7740-4b24-bd65-f1bde09fc365", + "type": "uses" + }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "uses" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "uses" + }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, + { + "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", + "type": "uses" + }, + { + "dest-uuid": "bbc3cba7-84ae-410d-b18b-16750731dfa2", + "type": "uses" + }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" @@ -5631,6 +6135,18 @@ "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "uses" + }, + { + "dest-uuid": "cc723aff-ec88-40e3-a224-5af9fd983cc4", + "type": "uses" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "type": "uses" + }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -5639,6 +6155,10 @@ "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "uses" + }, { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "uses" @@ -5647,14 +6167,34 @@ "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "type": "uses" + }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "uses" + }, + { + "dest-uuid": "ec4be82f-940c-4dcb-87fe-2bbdd17c692f", + "type": "uses" + }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "uses" + }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" @@ -5662,6 +6202,10 @@ { "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "type": "uses" } ], "uuid": "174279b4-399f-4ddb-966e-5efedd1dd5f2", @@ -5673,6 +6217,7 @@ "external_id": "G0119", "refs": [ "https://attack.mitre.org/groups/G0119", + "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions/", "https://home.treasury.gov/news/press-releases/sm845", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", @@ -5682,7 +6227,8 @@ "Indrik Spider", "Evil Corp", "Manatee Tempest", - "DEV-0243" + "DEV-0243", + "UNC2165" ] }, "related": [ @@ -5690,6 +6236,10 @@ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, + { + "dest-uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -5714,6 +6264,14 @@ "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "uses" + }, + { + "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", + "type": "uses" + }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" @@ -5726,10 +6284,18 @@ "dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927", "type": "uses" }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "uses" + }, { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "type": "uses" }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "type": "uses" + }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" @@ -5742,10 +6308,18 @@ "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "uses" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, + { + "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", + "type": "uses" + }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" @@ -5762,10 +6336,22 @@ "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "uses" + }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "uses" + }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" @@ -5790,10 +6376,18 @@ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "uses" + }, { "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", "type": "uses" }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "uses" + }, { "dest-uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100", "type": "uses" @@ -5882,6 +6476,159 @@ "uuid": "90784c1e-4aba-40eb-9adf-7556235e6384", "value": "Silent Librarian - G0122" }, + { + "description": "[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032) has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.(Citation: Bleeping Computer INC Ransomware March 2024)(Citation: Cybereason INC Ransomware November 2023)(Citation: Secureworks GOLD IONIC April 2024)(Citation: SentinelOne INC Ransomware)", + "meta": { + "external_id": "G1032", + "refs": [ + "https://attack.mitre.org/groups/G1032", + "https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/", + "https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf", + "https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware", + "https://www.sentinelone.com/anthology/inc-ransom/" + ], + "synonyms": [ + "INC Ransom", + "GOLD IONIC" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "uses" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "uses" + }, + { + "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79", + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "uses" + }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "type": "uses" + }, + { + "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "type": "uses" + }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "type": "uses" + }, + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "uses" + }, + { + "dest-uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "uses" + }, + { + "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", + "type": "uses" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "type": "uses" + }, + { + "dest-uuid": "f25d4207-25b2-4bb0-a17a-403943c670ad", + "type": "uses" + }, + { + "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "type": "uses" + } + ], + "uuid": "cb41e991-65f4-4668-a65f-f4200545b5a1", + "value": "INC Ransom - G1032" + }, { "description": "[Volatile Cedar](https://attack.mitre.org/groups/G0123) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://attack.mitre.org/groups/G0123) has been operating since 2012 and is motivated by political and ideological interests.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)", "meta": { @@ -6150,6 +6897,110 @@ "uuid": "420ac20b-f2b9-42b8-aa1a-6d4b72895ca4", "value": "Mustang Panda - G0129" }, + { + "description": "[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)\n", + "meta": { + "external_id": "G1033", + "refs": [ + "https://attack.mitre.org/groups/G1033", + "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a", + "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/", + "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/" + ], + "synonyms": [ + "Star Blizzard", + "SEABORGIUM", + "Callisto Group", + "TA446", + "COLDRIVER" + ] + }, + "related": [ + { + "dest-uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2", + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "uses" + }, + { + "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", + "type": "uses" + }, + { + "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", + "type": "uses" + }, + { + "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", + "type": "uses" + }, + { + "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "type": "uses" + }, + { + "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "type": "uses" + }, + { + "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", + "type": "uses" + }, + { + "dest-uuid": "824a230d-0f6a-4fd0-99df-8d464db2265e", + "type": "uses" + }, + { + "dest-uuid": "8982a661-d84c-48c0-b4ec-1db29c6cf3bc", + "type": "uses" + }, + { + "dest-uuid": "a0e6614a-7740-4b24-bd65-f1bde09fc365", + "type": "uses" + }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "uses" + }, + { + "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", + "type": "uses" + }, + { + "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", + "type": "uses" + }, + { + "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", + "type": "uses" + } + ], + "uuid": "9b36c218-4d80-4ec6-a68d-cc2886bbe410", + "value": "Star Blizzard - G1033" + }, { "description": "\n[Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)", "meta": { @@ -6220,6 +7071,30 @@ "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "uses" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "uses" + }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" @@ -6232,18 +7107,62 @@ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "uses" + }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "uses" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "uses" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "type": "uses" + }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "type": "uses" + }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "type": "uses" + }, + { + "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", + "type": "uses" + }, + { + "dest-uuid": "8787e86d-8475-4f13-acea-d33eb83b6105", + "type": "uses" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" @@ -6256,10 +7175,18 @@ "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "uses" + }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" @@ -6268,6 +7195,10 @@ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, + { + "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", + "type": "uses" + }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" @@ -6280,9 +7211,25 @@ "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "uses" + }, + { + "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", + "type": "uses" + }, + { + "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", + "type": "uses" } ], "uuid": "64b52e7d-b2c4-4a02-9372-08a463f5dc11", @@ -6397,6 +7344,275 @@ "uuid": "e44e0985-bc65-4a8f-b578-211c858128e3", "value": "Transparent Tribe - G0134" }, + { + "description": "Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.(Citation: DomainTools WinterVivern 2021)(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023)(Citation: ESET WinterVivern 2023)(Citation: Proofpoint WinterVivern 2023)", + "meta": { + "external_id": "G1035", + "refs": [ + "https://attack.mitre.org/groups/G1035", + "https://cert.gov.ua/article/3761104", + "https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/", + "https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability", + "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/", + "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/" + ], + "synonyms": [ + "Winter Vivern", + "TA473", + "UAC-0114" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, + { + "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "uses" + }, + { + "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "type": "uses" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "uses" + }, + { + "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "ae797531-3219-49a4-bccf-324ad7a4c7b2", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + } + ], + "uuid": "75a07184-a7e5-4222-95a1-a04dbc96a29c", + "value": "Winter Vivern - G1035" + }, + { + "description": "[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032), but has differentiated its tradecraft since 2023. [Moonstone Sleet](https://attack.mitre.org/groups/G1036) is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.(Citation: Microsoft Moonstone Sleet 2024)", + "meta": { + "external_id": "G1036", + "refs": [ + "https://attack.mitre.org/groups/G1036", + "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" + ], + "synonyms": [ + "Moonstone Sleet", + "Storm-1789" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", + "type": "uses" + }, + { + "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", + "type": "uses" + }, + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "type": "uses" + }, + { + "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "type": "uses" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "uses" + }, + { + "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", + "type": "uses" + }, + { + "dest-uuid": "937e4772-8441-4e4a-8bf0-8d447d667e23", + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "uses" + }, + { + "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "uses" + }, + { + "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "type": "uses" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "type": "uses" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "uses" + } + ], + "uuid": "e6db1e55-b199-4b6b-8633-989345ee45e0", + "value": "Moonstone Sleet - G1036" + }, { "description": "[Ferocious Kitten](https://attack.mitre.org/groups/G0137) is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "meta": { @@ -6616,10 +7832,6 @@ "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "type": "uses" }, - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", - "type": "uses" - }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" @@ -6639,6 +7851,10 @@ { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "type": "uses" + }, + { + "dest-uuid": "fb75213f-cfb0-40bf-a02f-3bad93d6601e", + "type": "uses" } ], "uuid": "d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7", @@ -7475,6 +8691,10 @@ "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, + { + "dest-uuid": "09b008a9-b4eb-462a-a751-a0eb58050cd9", + "type": "uses" + }, { "dest-uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", "type": "uses" @@ -7503,6 +8723,10 @@ "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" @@ -7599,6 +8823,10 @@ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, + { + "dest-uuid": "6490afef-d88e-4e2b-b9d9-a472508ca59d", + "type": "uses" + }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" @@ -7687,6 +8915,10 @@ "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, + { + "dest-uuid": "a5789a26-2b7b-4b2d-a25f-31182468d4bb", + "type": "uses" + }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" @@ -7806,6 +9038,10 @@ "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, + { + "dest-uuid": "e1284931-3f85-4262-a641-9ae8bb0576a0", + "type": "uses" + }, { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "uses" @@ -8631,10 +9867,6 @@ "dest-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", "type": "uses" }, - { - "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", - "type": "uses" - }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" @@ -8710,6 +9942,10 @@ "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, + { + "dest-uuid": "48b836c6-e4ca-435a-82a3-29c03e5b492e", + "type": "uses" + }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" @@ -10395,7 +11631,6 @@ "IRON HEMLOCK", "NobleBaron", "Dark Halo", - "StellarParticle", "NOBELIUM", "UNC2452", "YTTRIUM", @@ -11503,6 +12738,155 @@ "uuid": "fe8796a4-2a02-41a0-9d27-7aa1e995feb6", "value": "APT19 - G0073" }, + { + "description": "[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation: SentinelOne Agrius 2021)(Citation: CheckPoint Agrius 2023) Public reporting has linked [Agrius](https://attack.mitre.org/groups/G1030) to Iran's Ministry of Intelligence and Security (MOIS).(Citation: Microsoft Iran Cyber 2023)", + "meta": { + "external_id": "G1030", + "refs": [ + "https://assets.sentinelone.com/sentinellabs/evol-agrius", + "https://attack.mitre.org/groups/G1030", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", + "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/", + "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/", + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/05/Iran-turning-to-cyber-enabled-influence-operations-for-greater-effect-05022023.pdf" + ], + "synonyms": [ + "Agrius", + "Pink Sandstorm", + "AMERICIUM", + "Agonizing Serpens", + "BlackShadow" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "uses" + }, + { + "dest-uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2", + "type": "uses" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "uses" + }, + { + "dest-uuid": "47ab6350-054f-4754-ba4d-e52a4e8751e2", + "type": "uses" + }, + { + "dest-uuid": "48d96fa0-d027-45aa-a8c3-5d09f65d596d", + "type": "uses" + }, + { + "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "uses" + }, + { + "dest-uuid": "663d7dee-5a47-459e-a5ef-e850a94a8ee5", + "type": "uses" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "type": "uses" + }, + { + "dest-uuid": "b5dc19b7-588d-403b-848d-c868bd61ffa1", + "type": "uses" + }, + { + "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", + "type": "uses" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "uses" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d6aefbbf-fbef-485a-973e-b5403d8f8b18", + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "type": "uses" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "uses" + }, + { + "dest-uuid": "f2e6af17-3828-4f10-88e7-343591618ddb", + "type": "uses" + } + ], + "uuid": "b8137919-38cb-4db0-90f3-437be885faba", + "value": "Agrius - G1030" + }, { "description": "[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)", "meta": { @@ -11549,7 +12933,7 @@ "value": "Mofang - G0103" }, { - "description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n", + "description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n", "meta": { "external_id": "G0096", "refs": [ @@ -11579,6 +12963,10 @@ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "type": "uses" + }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" @@ -11635,10 +13023,6 @@ "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, - { - "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", - "type": "uses" - }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" @@ -11647,6 +13031,10 @@ "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "type": "uses" + }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" @@ -11667,6 +13055,10 @@ "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, + { + "dest-uuid": "33139388-de0c-49ff-862a-041c315b142d", + "type": "uses" + }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" @@ -11679,6 +13071,10 @@ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, + { + "dest-uuid": "37487ff6-de2a-4c14-9e8b-ba3b97f78aaf", + "type": "uses" + }, { "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "type": "uses" @@ -11691,10 +13087,18 @@ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "uses" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" @@ -11727,6 +13131,10 @@ "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "uses" }, + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "type": "uses" + }, { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "type": "uses" @@ -11771,10 +13179,6 @@ "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "type": "uses" }, - { - "dest-uuid": "76551c52-b111-4884-bc47-ff3e728f0156", - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" @@ -11827,10 +13231,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "type": "uses" - }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" @@ -11839,10 +13239,18 @@ "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "type": "uses" + }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" @@ -11864,11 +13272,11 @@ "type": "uses" }, { - "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "dest-uuid": "b8017880-4b1e-42de-ad10-ae7ac6705166", "type": "uses" }, { - "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161", + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { @@ -11900,11 +13308,11 @@ "type": "uses" }, { - "dest-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", + "dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada", "type": "uses" }, { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "dest-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", "type": "uses" }, { @@ -11943,6 +13351,10 @@ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "uses" + }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" @@ -12120,6 +13532,164 @@ "uuid": "abc5a1d4-f0dc-49d1-88a1-4a80e478bb03", "value": "LazyScripter - G0140" }, + { + "description": "[Play](https://attack.mitre.org/groups/G1040) is a ransomware group that has been active since at least 2022 deploying [Playcrypt](https://attack.mitre.org/software/S1162) ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Play](https://attack.mitre.org/groups/G1040) actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)", + "meta": { + "external_id": "G1040", + "refs": [ + "https://attack.mitre.org/groups/G1040", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" + ], + "synonyms": [ + "Play" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "uses" + }, + { + "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "uses" + }, + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "type": "uses" + }, + { + "dest-uuid": "28ad4983-151e-4e30-9792-768470e92b3e", + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "type": "uses" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "type": "uses" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "type": "uses" + }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "type": "uses" + }, + { + "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "uses" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "uses" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", + "type": "uses" + }, + { + "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", + "type": "uses" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "type": "uses" + } + ], + "uuid": "ecbf507f-6786-4121-a4cc-0fd6a8d3a29d", + "value": "Play - G1040" + }, { "description": "Operation [Sharpshooter](https://attack.mitre.org/groups/G0104) is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and [Lazarus Group](https://attack.mitre.org/groups/G0032) have been noted, definitive links have not been established.(Citation: McAfee Sharpshooter December 2018)", "meta": { @@ -12626,6 +14196,10 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" @@ -12654,10 +14228,6 @@ "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -13231,7 +14801,7 @@ "https://attack.mitre.org/groups/G0022", "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", - "https://www.recordedfuture.com/chinese-mss-behind-apt3/" + "https://www.recordedfuture.com/research/chinese-mss-behind-apt3" ], "synonyms": [ "APT3", @@ -13296,6 +14866,10 @@ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "type": "uses" @@ -13368,10 +14942,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "type": "uses" - }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" @@ -13415,6 +14985,10 @@ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, + { + "dest-uuid": "d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0", + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -13457,13 +15031,13 @@ "external_id": "G0082", "refs": [ "https://attack.mitre.org/groups/G0082", - "https://content.fireeye.com/apt/rpt-apt38", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://securelist.com/lazarus-under-the-hood/77908/", "https://us-cert.cisa.gov/ncas/alerts/aa20-239a", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/", "https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone" ], "synonyms": [ @@ -14061,6 +15635,10 @@ "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "uses" }, + { + "dest-uuid": "f2e6af17-3828-4f10-88e7-343591618ddb", + "type": "uses" + }, { "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "type": "uses" @@ -14330,6 +15908,10 @@ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" @@ -14338,10 +15920,6 @@ "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "type": "uses" - }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" @@ -14433,10 +16011,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "type": "uses" - }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" @@ -14489,6 +16063,10 @@ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, + { + "dest-uuid": "d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0", + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -15709,9 +17287,9 @@ "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", "https://www.justice.gov/opa/page/file/1122671/download", "https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ], @@ -16506,7 +18084,7 @@ "value": "RTM - G0048" }, { - "description": "[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)\n\n[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "description": "[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)\n\n[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", "meta": { "external_id": "G0094", "refs": [ @@ -16515,13 +18093,14 @@ "https://blog.alyac.co.kr/2234", "https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf", "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", - "https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/", "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/", + "https://services.google.com/fh/files/misc/apt43-report-en.pdf", "https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", + "https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering", "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" ], "synonyms": [ @@ -16529,7 +18108,9 @@ "Black Banshee", "Velvet Chollima", "Emerald Sleet", - "THALLIUM" + "THALLIUM", + "APT43", + "TA427" ] }, "related": [ @@ -16545,10 +18126,18 @@ "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "type": "uses" }, + { + "dest-uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2", + "type": "uses" + }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9", + "type": "uses" + }, { "dest-uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", "type": "uses" @@ -16645,6 +18234,10 @@ "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" @@ -16669,6 +18262,10 @@ "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "type": "uses" + }, { "dest-uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94", "type": "uses" @@ -16745,6 +18342,14 @@ "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "type": "uses" + }, + { + "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "type": "uses" + }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" @@ -16789,10 +18394,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "type": "uses" - }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" @@ -16861,6 +18462,10 @@ "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, + { + "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", + "type": "uses" + }, { "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", "type": "uses" @@ -16873,6 +18478,10 @@ "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "type": "uses" + }, { "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", "type": "uses" @@ -16944,6 +18553,7 @@ "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" @@ -16956,7 +18566,8 @@ "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", - "EUROPIUM" + "EUROPIUM", + "ITG13" ] }, "related": [ @@ -17143,6 +18754,10 @@ "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, + { + "dest-uuid": "8d8518db-0f52-4f3c-8017-01389a8522bb", + "type": "uses" + }, { "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "type": "uses" @@ -18931,6 +20546,10 @@ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" @@ -19011,10 +20630,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "type": "uses" - }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" @@ -19201,20 +20816,23 @@ "value": "TA551 - G0127" }, { - "description": "[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)", + "description": "[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell 2019) [CURIUM](https://attack.mitre.org/groups/G1012) has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)", "meta": { "external_id": "G1012", "refs": [ "https://attack.mitre.org/groups/G1012", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021", - "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media" + "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" ], "synonyms": [ "CURIUM", "Crimson Sandstorm", "TA456", - "Tortoise Shell" + "Tortoise Shell", + "Yellow Liderc" ] }, "related": [ @@ -19222,14 +20840,78 @@ "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, + { + "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "uses" + }, + { + "dest-uuid": "3058b264-fe6b-46be-8948-2d1fadaf8adf", + "type": "uses" + }, + { + "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, + { + "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337", + "type": "uses" + }, + { + "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "type": "uses" + }, + { + "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", + "type": "uses" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "ae797531-3219-49a4-bccf-324ad7a4c7b2", + "type": "uses" + }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "uses" + }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" @@ -19622,7 +21304,7 @@ "refs": [ "https://attack.mitre.org/groups/G0114", "https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf", - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" + "https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" ], "synonyms": [ "Chimera" @@ -20334,6 +22016,10 @@ "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" @@ -20414,10 +22100,6 @@ "dest-uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40", "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "type": "uses" - }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" @@ -20755,6 +22437,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "05fb53c8-e2ac-4e17-a0c9-a0825e1198bf", + "type": "uses" + }, { "dest-uuid": "0dda99f0-4701-48ca-9774-8504922e92d3", "type": "uses" @@ -21137,6 +22823,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "149b477f-f364-4824-b1b5-aa1d56115869", + "type": "uses" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" @@ -21193,6 +22883,10 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "uses" + }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" @@ -21241,6 +22935,219 @@ "uuid": "4283ae19-69c7-4347-a35e-b56f08eb660b", "value": "ZIRCONIUM - G0128" }, + { + "description": "[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. [Daggerfly](https://attack.mitre.org/groups/G1034) is associated with exclusive use of [MgBot](https://attack.mitre.org/software/S1146) malware and is noted for several potential supply chain infection campaigns.(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2024)(Citation: ESET EvasivePanda 2024)", + "meta": { + "external_id": "G1034", + "refs": [ + "https://attack.mitre.org/groups/G1034", + "https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot", + "https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset", + "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/", + "https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/" + ], + "synonyms": [ + "Daggerfly", + "Evasive Panda", + "BRONZE HIGHLAND" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "uses" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "uses" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "type": "uses" + }, + { + "dest-uuid": "34b3f738-bd64-40e5-a112-29b0542bc8bf", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "51f78dfc-52f9-424e-8753-bb4246188313", + "type": "uses" + }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "type": "uses" + }, + { + "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", + "type": "uses" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "a36eedea-9523-4abb-96e8-205f171ee763", + "type": "uses" + }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "type": "uses" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "uses" + }, + { + "dest-uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a", + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "uses" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + } + ], + "uuid": "f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6", + "value": "Daggerfly - G1034" + }, + { + "description": "[TA577](https://attack.mitre.org/groups/G1037) is an initial access broker (IAB) that has distributed [QakBot](https://attack.mitre.org/software/S0650) and [Pikabot](https://attack.mitre.org/software/S1145), and was among the first observed groups distributing [Latrodectus](https://attack.mitre.org/software/S1160) in 2023.(Citation: Latrodectus APR 2024)", + "meta": { + "external_id": "G1037", + "refs": [ + "https://attack.mitre.org/groups/G1037", + "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" + ], + "synonyms": [ + "TA577" + ] + }, + "related": [ + { + "dest-uuid": "02739f57-7585-4319-acd3-794ae8ff3a70", + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "uses" + }, + { + "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", + "type": "uses" + }, + { + "dest-uuid": "76fde8df-3495-47c9-82eb-125c4f7fb621", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + } + ], + "uuid": "13ef3485-70d2-4567-b934-0e83c1eafcf1", + "value": "TA577 - G1037" + }, + { + "description": "[TA578](https://attack.mitre.org/groups/G1038) is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including [Latrodectus](https://attack.mitre.org/software/S1160), [IcedID](https://attack.mitre.org/software/S0483), and [Bumblebee](https://attack.mitre.org/software/S1039).(Citation: Latrodectus APR 2024)(Citation: Bitsight Latrodectus June 2024)", + "meta": { + "external_id": "G1038", + "refs": [ + "https://attack.mitre.org/groups/G1038", + "https://www.bitsight.com/blog/latrodectus-are-you-coming-back", + "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" + ], + "synonyms": [ + "TA578" + ] + }, + "related": [ + { + "dest-uuid": "04378e79-4387-468a-a8f7-f974b8254e44", + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26", + "type": "uses" + }, + { + "dest-uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "type": "uses" + }, + { + "dest-uuid": "76fde8df-3495-47c9-82eb-125c4f7fb621", + "type": "uses" + }, + { + "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + } + ], + "uuid": "a5cfbc79-316c-42f2-915d-6e8fef4085f8", + "value": "TA578 - G1038" + }, { "description": "[BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)", "meta": { @@ -21402,13 +23309,13 @@ "meta": { "external_id": "G0138", "refs": [ - "http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf", "http://www.issuemakerslab.com/research3/", "https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/", "https://attack.mitre.org/groups/G0138", + "https://fsiceat.tistory.com/2", "https://home.treasury.gov/news/press-releases/sm774", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", - "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do", + "https://web.archive.org/web/20230213154832/http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf", "https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html" ], "synonyms": [ @@ -21479,6 +23386,188 @@ "uuid": "39d6890e-7f23-4474-b8ef-e7b0343c5fc8", "value": "Andariel - G0138" }, + { + "description": "[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.(Citation: group-ib_redcurl1) [RedCurl](https://attack.mitre.org/groups/G1039) is allegedly a Russian-speaking threat actor.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers. ", + "meta": { + "external_id": "G1039", + "refs": [ + "https://attack.mitre.org/groups/G1039", + "https://www.group-ib.com/resources/research-hub/red-curl-2/", + "https://www.group-ib.com/resources/research-hub/red-curl/" + ], + "synonyms": [ + "RedCurl" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "uses" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "uses" + }, + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "uses" + }, + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", + "type": "uses" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "uses" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "uses" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "uses" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "type": "uses" + }, + { + "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", + "type": "uses" + }, + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "uses" + }, + { + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "type": "uses" + }, + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + } + ], + "uuid": "82323c70-4186-4b61-94f5-b227c3b28e89", + "value": "RedCurl - G1039" + }, { "description": "[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)", "meta": { @@ -21493,7 +23582,7 @@ "https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/", "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", - "https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/" + "https://www.lacework.com/blog/taking-teamtnt-docker-images-offline" ], "synonyms": [ "TeamTNT" @@ -21672,6 +23761,10 @@ "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" @@ -21692,10 +23785,6 @@ "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", "type": "uses" @@ -21737,5 +23826,5 @@ "value": "TeamTNT - G0139" } ], - "version": 35 + "version": 36 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 93d50aa..35c7e1d 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -1162,6 +1162,10 @@ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, + { + "dest-uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "type": "uses" + }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" @@ -1865,7 +1869,195 @@ "value": "Green Lambert - S0690" }, { - "description": "[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", + "description": "[Raspberry Robin](https://attack.mitre.org/software/S1130) is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. [Raspberry Robin](https://attack.mitre.org/software/S1130) has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as [SocGholish](https://attack.mitre.org/software/S1124), [Cobalt Strike](https://attack.mitre.org/software/S0154), [IcedID](https://attack.mitre.org/software/S0483), and [Bumblebee](https://attack.mitre.org/software/S1039).(Citation: TrendMicro RaspberryRobin 2022)(Citation: RedCanary RaspberryRobin 2022)(Citation: HP RaspberryRobin 2024) The DLL componenet in the [Raspberry Robin](https://attack.mitre.org/software/S1130) infection chain is also referred to as \"Roshtyak.\"(Citation: Avast RaspberryRobin 2022) The name \"Raspberry Robin\" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.(Citation: Microsoft RaspberryRobin 2022)", + "meta": { + "external_id": "S1130", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1130", + "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", + "https://redcanary.com/blog/threat-intelligence/raspberry-robin/", + "https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html" + ], + "synonyms": [ + "Raspberry Robin" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "uses" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "uses" + }, + { + "dest-uuid": "155207c0-7f53-4f13-a06b-0a9907ef5096", + "type": "uses" + }, + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "type": "uses" + }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "uses" + }, + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", + "type": "uses" + }, + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "type": "uses" + }, + { + "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "uses" + }, + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "type": "uses" + }, + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "type": "uses" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "uses" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + } + ], + "uuid": "4e385fa6-ebe0-43fc-9ccf-5b51b5dc4d79", + "value": "Raspberry Robin - S1130" + }, + { + "description": "[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Saint Bear](https://attack.mitre.org/groups/G1031) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "meta": { "external_id": "S1018", "mitre_platforms": [ @@ -1875,6 +2067,9 @@ "https://attack.mitre.org/software/S1018", "https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/", "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" + ], + "synonyms": [ + "Saint Bot" ] }, "related": [ @@ -1966,6 +2161,10 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "type": "uses" + }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" @@ -4315,7 +4514,7 @@ "value": "Tiktok Pro - S0558" }, { - "description": "[Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)", + "description": "[Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. [Cyclops Blink](https://attack.mitre.org/software/S0687) is assessed to be a replacement for [VPNFilter](https://attack.mitre.org/software/S1010), a similar platform targeting network devices.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)", "meta": { "external_id": "S0687", "mitre_platforms": [ @@ -4420,6 +4619,522 @@ "uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e", "value": "Cyclops Blink - S0687" }, + { + "description": "[IPsec Helper](https://attack.mitre.org/software/S1132) is a post-exploitation remote access tool linked to [Agrius](https://attack.mitre.org/groups/G1030) operations. This malware shares significant programming and functional overlaps with [Apostle](https://attack.mitre.org/software/S1133) ransomware, also linked to [Agrius](https://attack.mitre.org/groups/G1030). [IPsec Helper](https://attack.mitre.org/software/S1132) provides basic remote access tool functionality such as uploading files from victim systems, running commands, and deploying additional payloads.(Citation: SentinelOne Agrius 2021)", + "meta": { + "external_id": "S1132", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://assets.sentinelone.com/sentinellabs/evol-agrius", + "https://attack.mitre.org/software/S1132" + ], + "synonyms": [ + "IPsec Helper" + ] + }, + "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "type": "uses" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "type": "uses" + } + ], + "uuid": "b5dc19b7-588d-403b-848d-c868bd61ffa1", + "value": "IPsec Helper - S1132" + }, + { + "description": "[Cuckoo Stealer](https://attack.mitre.org/software/S1153) is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. [Cuckoo Stealer](https://attack.mitre.org/software/S1153) is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)\n", + "meta": { + "external_id": "S1153", + "mitre_platforms": [ + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S1153", + "https://www.kandji.io/blog/malware-cuckoo-infostealer-spyware", + "https://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/" + ], + "synonyms": [ + "Cuckoo Stealer" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", + "type": "uses" + }, + { + "dest-uuid": "2f41939b-54c3-41d6-8f8b-35f1ec18ed97", + "type": "uses" + }, + { + "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "7d20fff9-8751-404e-badd-ccd71bda0236", + "type": "uses" + }, + { + "dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", + "type": "uses" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "uses" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "type": "uses" + }, + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "type": "uses" + } + ], + "uuid": "457a5e8d-d964-4130-bde3-c07bb41a093e", + "value": "Cuckoo Stealer - S1153" + }, + { + "description": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) is wiper malware written in .NET associated with [Agrius](https://attack.mitre.org/groups/G1030) operations. Observed samples of [MultiLayer Wiper](https://attack.mitre.org/software/S1135) have an anomalous, future compilation date suggesting possible metadata manipulation.(Citation: Unit42 Agrius 2023)", + "meta": { + "external_id": "S1135", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1135", + "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/" + ], + "synonyms": [ + "MultiLayer Wiper" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, + { + "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", + "type": "uses" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "type": "uses" + }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "type": "uses" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "type": "uses" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "type": "uses" + } + ], + "uuid": "663d7dee-5a47-459e-a5ef-e850a94a8ee5", + "value": "MultiLayer Wiper - S1135" + }, + { + "description": "[BFG Agonizer](https://attack.mitre.org/software/S1136) is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the [Agrius](https://attack.mitre.org/groups/G1030) threat actor.(Citation: Unit42 Agrius 2023)", + "meta": { + "external_id": "S1136", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1136", + "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/" + ], + "synonyms": [ + "BFG Agonizer" + ] + }, + "related": [ + { + "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", + "type": "uses" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "type": "uses" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "type": "uses" + } + ], + "uuid": "d6aefbbf-fbef-485a-973e-b5403d8f8b18", + "value": "BFG Agonizer - S1136" + }, + { + "description": "[INC Ransomware](https://attack.mitre.org/software/S1139) is a ransomware strain that has been used by the [INC Ransom](https://attack.mitre.org/groups/G1032) group since at least 2023 against multiple industry sectors worldwide. [INC Ransomware](https://attack.mitre.org/software/S1139) can employ partial encryption combined with multi-threading to speed encryption.(Citation: SentinelOne INC Ransomware)(Citation: Huntress INC Ransom Group August 2023)(Citation: Secureworks GOLD IONIC April 2024)", + "meta": { + "external_id": "S1139", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1139", + "https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity", + "https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware", + "https://www.sentinelone.com/anthology/inc-ransom/" + ], + "synonyms": [ + "INC Ransomware" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "type": "uses" + }, + { + "dest-uuid": "215d9700-5881-48b8-8265-6449dbb7195d", + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "type": "uses" + } + ], + "uuid": "f25d4207-25b2-4bb0-a17a-403943c670ad", + "value": "INC Ransomware - S1139" + }, + { + "description": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. [Raccoon Stealer](https://attack.mitre.org/software/S1148) has experienced two periods of activity across two variants, from 2019 to March 2022, then resurfacing in a revised version in June 2022.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)", + "meta": { + "external_id": "S1148", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1148", + "https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/", + "https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" + ], + "synonyms": [ + "Raccoon Stealer" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "uses" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "type": "uses" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "uses" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "uses" + }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "uses" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "uses" + } + ], + "uuid": "b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175", + "value": "Raccoon Stealer - S1148" + }, { "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { @@ -4734,8 +5449,11 @@ "meta": { "external_id": "S0133", "refs": [ - "http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml", - "https://attack.mitre.org/software/S0133" + "https://attack.mitre.org/software/S0133", + "https://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml" + ], + "synonyms": [ + "Miner-C" ] }, "related": [ @@ -6732,6 +7450,33 @@ "uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "value": "Rover - S0090" }, + { + "description": "[VPNFilter](https://attack.mitre.org/software/S1010) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S1010) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019) [VPNFilter](https://attack.mitre.org/software/S1010) was assessed to be replaced by [Sandworm Team](https://attack.mitre.org/groups/G0034) with [Cyclops Blink](https://attack.mitre.org/software/S0687) starting in 2019.(Citation: NCSC CISA Cyclops Blink Advisory February 2022)", + "meta": { + "external_id": "S1010", + "mitre_platforms": [ + "Network", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S1010", + "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html", + "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter", + "https://www.youtube.com/watch?v=yuZazP22rpI" + ], + "synonyms": [ + "VPNFilter" + ] + }, + "related": [ + { + "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", + "type": "uses" + } + ], + "uuid": "6108f800-10b8-4090-944e-be579f01263d", + "value": "VPNFilter - S1010" + }, { "description": "[Ninja](https://attack.mitre.org/software/S1100) is a malware developed in C++ that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) to penetrate networks and control remote systems since at least 2020. [Ninja](https://attack.mitre.org/software/S1100) is possibly part of a post exploitation toolkit exclusively used by [ToddyCat](https://attack.mitre.org/groups/G1022) and allows multiple operators to work simultaneously on the same machine. [Ninja](https://attack.mitre.org/software/S1100) has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by [Samurai](https://attack.mitre.org/software/S1099).(Citation: Kaspersky ToddyCat June 2022)", "meta": { @@ -7226,7 +7971,7 @@ "https://attack.mitre.org/software/S0012", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf", "https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign", "https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" ], @@ -7273,6 +8018,10 @@ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, + { + "dest-uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "type": "uses" + }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" @@ -8515,6 +9264,10 @@ "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" @@ -8527,10 +9280,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -11064,6 +11813,10 @@ ] }, "related": [ + { + "dest-uuid": "241f9ea8-f6ae-4f38-92f5-cef5b7e539dd", + "type": "uses" + }, { "dest-uuid": "a379f09b-5cec-4bdb-9735-125cef2de073", "tags": [ @@ -11957,6 +12710,9 @@ "external_id": "S0209", "refs": [ "https://attack.mitre.org/software/S0209" + ], + "synonyms": [ + "Darkmoon" ] }, "related": [ @@ -16861,8 +17617,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0069", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", - "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" + "https://web.archive.org/web/20240119213200/https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [ "BLACKCOFFEE" @@ -18467,6 +19223,62 @@ "uuid": "0626c181-93cb-4860-9cb0-dff3b1c13063", "value": "Rotexy - S0411" }, + { + "description": "[Spica](https://attack.mitre.org/software/S1140) is a custom backdoor written in Rust that has been used by [Star Blizzard](https://attack.mitre.org/groups/G1033) since at least 2023.(Citation: Google TAG COLDRIVER January 2024) ", + "meta": { + "external_id": "S1140", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1140", + "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/" + ], + "synonyms": [ + "Spica" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + } + ], + "uuid": "824a230d-0f6a-4fd0-99df-8d464db2265e", + "value": "Spica - S1140" + }, { "description": "[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)", "meta": { @@ -18605,6 +19417,86 @@ "uuid": "0c242cc5-58d3-4fe3-a866-b00a4b6fb817", "value": "COATHANGER - S1105" }, + { + "description": "[ROADSWEEP](https://attack.mitre.org/software/S1150) is a ransomware that was deployed against Albanian government networks during [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) along with the [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) backdoor.(Citation: Mandiant ROADSWEEP August 2022)", + "meta": { + "external_id": "S1150", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1150", + "https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" + ], + "synonyms": [ + "ROADSWEEP" + ] + }, + "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "type": "uses" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "type": "uses" + }, + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "uses" + }, + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "type": "uses" + } + ], + "uuid": "be471c69-12d5-4bcc-9dad-3d42c3dbca4b", + "value": "ROADSWEEP - S1150" + }, { "description": "[Crimson](https://attack.mitre.org/software/S0115) is a remote access Trojan that has been used by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "meta": { @@ -19282,7 +20174,203 @@ "value": "NGLite - S1106" }, { - "description": "[MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022)", + "description": "[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed through email campaigns, primarily by [TA577](https://attack.mitre.org/groups/G1037) and [TA578](https://attack.mitre.org/groups/G1038), and has infrastructure overlaps with historic [IcedID](https://attack.mitre.org/software/S0483) operations.(Citation: Latrodectus APR 2024)(Citation: Bleeping Computer Latrodectus April 2024)(Citation: Bitsight Latrodectus June 2024)", + "meta": { + "external_id": "S1160", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1160", + "https://www.bitsight.com/blog/latrodectus-are-you-coming-back", + "https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-attacks-use-microsoft-cloudflare-themes/", + "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" + ], + "synonyms": [ + "Latrodectus", + "IceNova", + "Unidentified 111" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "uses" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "type": "uses" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "uses" + }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "type": "uses" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "type": "uses" + } + ], + "uuid": "76fde8df-3495-47c9-82eb-125c4f7fb621", + "value": "Latrodectus - S1160" + }, + { + "description": "[MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022) [MacMa](https://attack.mitre.org/software/S1016) shares command and control and unique libraries with [MgBot](https://attack.mitre.org/software/S1146) and [Nightdoor](https://attack.mitre.org/software/S1147), indicating a relationship with the [Daggerfly](https://attack.mitre.org/groups/G1034) threat actor.(Citation: Symantec Daggerfly 2024)", "meta": { "external_id": "S1016", "mitre_platforms": [ @@ -19291,6 +20379,7 @@ "refs": [ "https://attack.mitre.org/software/S1016", "https://objective-see.org/blog/blog_0x69.html", + "https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset", "https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" ], "synonyms": [ @@ -19332,6 +20421,10 @@ "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", "type": "uses" }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" @@ -19528,7 +20621,7 @@ "value": "Felismus - S0171" }, { - "description": "[OutSteel](https://attack.mitre.org/software/S1017) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", + "description": "[OutSteel](https://attack.mitre.org/software/S1017) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Saint Bear](https://attack.mitre.org/groups/G1031) since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "meta": { "external_id": "S1017", "mitre_platforms": [ @@ -19537,9 +20630,16 @@ "refs": [ "https://attack.mitre.org/software/S1017", "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" + ], + "synonyms": [ + "OutSteel" ] }, "related": [ + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" @@ -19556,6 +20656,10 @@ "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, + { + "dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" @@ -19576,6 +20680,10 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "uses" + }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -20546,7 +21654,7 @@ "external_id": "S1023", "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/software/S1023", @@ -20801,6 +21909,9 @@ "refs": [ "https://attack.mitre.org/software/S0214", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" + ], + "synonyms": [ + "HAPPYWORK" ] }, "related": [ @@ -21706,6 +22817,10 @@ "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" }, + { + "dest-uuid": "afddee82-3385-4682-ad90-eeced33f2d07", + "type": "uses" + }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" @@ -22539,6 +23654,9 @@ "refs": [ "https://attack.mitre.org/software/S0217", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" + ], + "synonyms": [ + "SHUTTERSPEED" ] }, "related": [ @@ -22877,10 +23995,10 @@ ], "refs": [ "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf", - "http://www.finfisher.com/FinFisher/index.html", "https://attack.mitre.org/software/S0182", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", + "https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html", "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html" ], "synonyms": [ @@ -23107,6 +24225,9 @@ "refs": [ "https://attack.mitre.org/software/S0219", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" + ], + "synonyms": [ + "WINERACK" ] }, "related": [ @@ -23553,6 +24674,10 @@ "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, + { + "dest-uuid": "d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0", + "type": "uses" + }, { "dest-uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82", "tags": [ @@ -24245,9 +25370,9 @@ ], "refs": [ "https://attack.mitre.org/software/S0153", - "https://twitter.com/ItsReallyNick/status/850105140589633536", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf", + "https://x.com/ItsReallyNick/status/850105140589633536" ], "synonyms": [ "RedLeaves", @@ -24675,8 +25800,8 @@ "macOS" ], "refs": [ - "http://www.thesafemac.com/new-signed-malware-called-janicab/", - "https://attack.mitre.org/software/S0163" + "https://attack.mitre.org/software/S0163", + "https://web.archive.org/web/20230331162455/https://www.thesafemac.com/new-signed-malware-called-janicab/" ], "synonyms": [ "Janicab" @@ -24941,18 +26066,12 @@ "refs": [ "https://attack.mitre.org/software/S0317", "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" + ], + "synonyms": [ + "Marcher" ] }, - "related": [ - { - "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", - "type": "uses" - }, - { - "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", - "type": "uses" - } - ], + "related": [], "uuid": "f9854ba6-989d-43bf-828b-7240b8a65291", "value": "Marcher - S0317" }, @@ -25689,11 +26808,13 @@ ], "refs": [ "https://attack.mitre.org/software/S0414", + "https://services.google.com/fh/files/misc/apt43-report-en.pdf", "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" ], "synonyms": [ - "BabyShark" + "BabyShark", + "LATEOP" ] }, "related": [ @@ -25772,9 +26893,9 @@ "http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://attack.mitre.org/software/S0144", - "https://twitter.com/ItsReallyNick/status/850105140589633536", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf", + "https://x.com/ItsReallyNick/status/850105140589633536" ], "synonyms": [ "ChChes", @@ -26319,6 +27440,10 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" @@ -26327,10 +27452,6 @@ "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -30563,6 +31684,10 @@ "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, + { + "dest-uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "type": "uses" + }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" @@ -32322,7 +33447,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0422", - "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" + "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" ], "synonyms": [ "Anubis" @@ -32422,12 +33547,10 @@ ], "refs": [ "https://attack.mitre.org/software/S0522", - "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks", "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" ], "synonyms": [ - "Exobot", - "Marcher" + "Exobot" ] }, "related": [ @@ -33712,6 +34835,10 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" @@ -33720,10 +34847,6 @@ "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -33837,7 +34960,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0632", - "https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer" + "https://www.group-ib.com/blog/grimagent/" ], "synonyms": [ "GrimAgent" @@ -33876,6 +34999,10 @@ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, + { + "dest-uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "type": "uses" + }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" @@ -34601,6 +35728,10 @@ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" @@ -34613,10 +35744,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -34625,6 +35752,10 @@ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, + { + "dest-uuid": "d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0", + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -35930,10 +37061,6 @@ "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" @@ -35958,6 +37085,10 @@ "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "uses" }, + { + "dest-uuid": "afddee82-3385-4682-ad90-eeced33f2d07", + "type": "uses" + }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" @@ -36359,6 +37490,10 @@ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" @@ -36371,10 +37506,6 @@ "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" @@ -36455,6 +37586,9 @@ "refs": [ "https://attack.mitre.org/software/S0255", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" + ], + "synonyms": [ + "DDKONG" ] }, "related": [ @@ -37059,6 +38193,10 @@ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, + { + "dest-uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" @@ -39283,10 +40421,10 @@ "refs": [ "https://attack.mitre.org/software/S0533", "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/", - "https://twitter.com/CNMF_CyberAlert/status/1311743710997159953", - "https://twitter.com/ESETresearch/status/1311762215490461696", - "https://twitter.com/craiu/status/1311920398259367942", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a", + "https://x.com/CNMF_CyberAlert/status/1311743710997159953", + "https://x.com/ESETresearch/status/1311762215490461696", + "https://x.com/craiu/status/1311920398259367942" ], "synonyms": [ "SLOTHFULMEDIA", @@ -39574,9 +40712,9 @@ ], "refs": [ "https://attack.mitre.org/software/S0336", - "https://cofense.com/nanocore-rat-resurfaced-sewers/", "https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/", "https://www.digitrustgroup.com/nanocore-not-your-average-rat/" ], "synonyms": [ @@ -39649,8 +40787,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0373", - "https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" ], "synonyms": [ @@ -39908,8 +41046,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0339", - "https://blog.radware.com/security/2018/07/micropsia-malware/", - "https://blog.talosintelligence.com/2017/06/palestine-delphi.html" + "https://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "https://www.radware.com/blog/security/2018/07/micropsia-malware/" ], "synonyms": [ "Micropsia" @@ -41547,6 +42685,14 @@ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" @@ -41555,6 +42701,10 @@ "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" @@ -41567,6 +42717,10 @@ "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" @@ -41583,22 +42737,54 @@ "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "type": "uses" + }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "type": "uses" + }, + { + "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", + "type": "uses" + }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "uses" + }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "uses" + }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "uses" + }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" @@ -41955,6 +43141,10 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "uses" + }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" @@ -43342,7 +44532,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0673", - "https://www.prevailion.com/darkwatchman-new-fileless-techniques/" + "https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" ], "synonyms": [ "DarkWatchman" @@ -43490,7 +44680,7 @@ "value": "DarkWatchman - S0673" }, { - "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", + "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.(Citation: Trend Micro Banking Malware Jan 2019)", "meta": { "external_id": "S0367", "mitre_platforms": [ @@ -43542,6 +44732,10 @@ "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "type": "uses" @@ -43554,6 +44748,10 @@ "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" @@ -43599,11 +44797,11 @@ "type": "uses" }, { - "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { - "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { @@ -43647,7 +44845,15 @@ "type": "uses" }, { - "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "uses" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "type": "uses" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { @@ -44011,7 +45217,7 @@ "refs": [ "https://attack.mitre.org/software/S0386", "https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992", - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif", + "https://www.cyber.nj.gov/threat-landscape/malware/trojans/ursnif", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" ], @@ -44211,6 +45417,10 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, + { + "dest-uuid": "afddee82-3385-4682-ad90-eeced33f2d07", + "type": "uses" + }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" @@ -44349,7 +45559,7 @@ "value": "CaddyWiper - S0693" }, { - "description": "[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017)", + "description": "[Ebury](https://attack.mitre.org/software/S0377) is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by [Windigo](https://attack.mitre.org/groups/G0124). [Ebury](https://attack.mitre.org/software/S0377) is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, [Ebury](https://attack.mitre.org/software/S0377) has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017)(Citation: ESET Ebury May 2024)", "meta": { "external_id": "S0377", "mitre_platforms": [ @@ -44357,6 +45567,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0377", + "https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf", "https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/", "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" @@ -44374,6 +45585,10 @@ "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", "type": "uses" }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -44398,6 +45613,10 @@ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, + { + "dest-uuid": "562e9b64-7239-493d-80f4-2bff900d9054", + "type": "uses" + }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" @@ -44414,10 +45633,6 @@ "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "type": "uses" - }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" @@ -44426,6 +45641,10 @@ "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" @@ -46320,6 +47539,10 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, + { + "dest-uuid": "b577dfc1-0177-4522-8d5a-782127c8592b", + "type": "uses" + }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -47948,7 +49171,7 @@ "type": "uses" }, { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", "type": "uses" }, { @@ -48019,6 +49242,10 @@ "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" @@ -48031,10 +49258,6 @@ "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" @@ -48144,6 +49367,10 @@ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" @@ -48172,10 +49399,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "type": "uses" - }, { "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", "type": "uses" @@ -48353,6 +49576,10 @@ "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, + { + "dest-uuid": "49fca0d2-685d-41eb-8bd4-05451cc3a742", + "type": "uses" + }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" @@ -51089,6 +52316,10 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" @@ -51101,10 +52332,6 @@ "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" @@ -52351,6 +53578,10 @@ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" @@ -52404,7 +53635,7 @@ "type": "uses" }, { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", "type": "uses" }, { @@ -52443,10 +53674,6 @@ "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -52624,6 +53851,202 @@ "uuid": "d9765cbd-4c88-4805-ba98-4c6ccb56b864", "value": "ZIPLINE - S1114" }, + { + "description": "[LunarWeb](https://attack.mitre.org/software/S1141) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with [LunarLoader](https://attack.mitre.org/software/S1143) and [LunarMail](https://attack.mitre.org/software/S1142). [LunarWeb](https://attack.mitre.org/software/S1141) has only been observed deployed against servers and can use [Steganography](https://attack.mitre.org/techniques/T1001/002) to obfuscate command and control.(Citation: ESET Turla Lunar toolset May 2024)", + "meta": { + "external_id": "S1141", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1141", + "https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" + ], + "synonyms": [ + "LunarWeb" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "type": "uses" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "uses" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "type": "uses" + }, + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "uses" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "type": "uses" + }, + { + "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", + "type": "uses" + } + ], + "uuid": "e1284931-3f85-4262-a641-9ae8bb0576a0", + "value": "LunarWeb - S1141" + }, + { + "description": "[ZeroCleare](https://attack.mitre.org/software/S1151) is a wiper malware that has been used in conjunction with the [RawDisk](https://attack.mitre.org/software/S0364) driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.(Citation: Microsoft Albanian Government Attacks September 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Mandiant ROADSWEEP August 2022)(Citation: IBM ZeroCleare Wiper December 2019)", + "meta": { + "external_id": "S1151", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1151", + "https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/", + "https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a", + "https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" + ], + "synonyms": [ + "ZeroCleare", + "ZEROCLEAR" + ] + }, + "related": [ + { + "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", + "type": "uses" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + } + ], + "uuid": "8d8518db-0f52-4f3c-8017-01389a8522bb", + "value": "ZeroCleare - S1151" + }, { "description": "[WIREFIRE](https://attack.mitre.org/software/S1115) is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. [WIREFIRE](https://attack.mitre.org/software/S1115) was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) for downloading files and command execution.(Citation: Mandiant Cutting Edge January 2024)", "meta": { @@ -52715,6 +54138,80 @@ "uuid": "a5818d36-e9b0-46da-842d-b727a5e36ea6", "value": "WARPWIRE - S1116" }, + { + "description": "[BPFDoor](https://attack.mitre.org/software/S1161) is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, [BPFDoor](https://attack.mitre.org/software/S1161) is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. [BPFDoor](https://attack.mitre.org/software/S1161) supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.(Citation: Sandfly BPFDoor 2022)(Citation: Deep Instinct BPFDoor 2023)", + "meta": { + "external_id": "S1161", + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S1161", + "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/", + "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game", + "https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html" + ], + "synonyms": [ + "BPFDoor", + "JustForFun", + "Backdoor.Linux.BPFDOOR", + "Backdoor.Solaris.BPFDOOR.ZAJE" + ] + }, + "related": [ + { + "dest-uuid": "005cc321-08ce-4d17-b1ea-cb5275926520", + "type": "uses" + }, + { + "dest-uuid": "34a80bc4-80f2-46e6-94ff-f3265a4b657c", + "type": "uses" + }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "type": "uses" + }, + { + "dest-uuid": "4a2975db-414e-4c0c-bd92-775987514b4b", + "type": "uses" + }, + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "type": "uses" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "uses" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + } + ], + "uuid": "8d1f89fd-4dde-40ab-80e0-a7b80249162e", + "value": "BPFDoor - S1161" + }, { "description": "[GLASSTOKEN](https://attack.mitre.org/software/S1117) is a custom web shell used by threat actors during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to execute commands on compromised Ivanti Secure Connect VPNs.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "meta": { @@ -53100,6 +54597,150 @@ "uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c", "value": "SocGholish - S1124" }, + { + "description": "[LunarMail](https://attack.mitre.org/software/S1142) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with [LunarLoader](https://attack.mitre.org/software/S1143) and [LunarWeb](https://attack.mitre.org/software/S1141). [LunarMail](https://attack.mitre.org/software/S1142) is designed to be deployed on workstations and can use email messages and [Steganography](https://attack.mitre.org/techniques/T1001/002) in command and control.(Citation: ESET Turla Lunar toolset May 2024)", + "meta": { + "external_id": "S1142", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1142", + "https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" + ], + "synonyms": [ + "LunarMail" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "438c967d-3996-4870-bfc2-3954752a1927", + "type": "uses" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "type": "uses" + }, + { + "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", + "type": "uses" + } + ], + "uuid": "a5789a26-2b7b-4b2d-a25f-31182468d4bb", + "value": "LunarMail - S1142" + }, + { + "description": "[IMAPLoader](https://attack.mitre.org/software/S1152) is a .NET-based loader malware exclusively associated with [CURIUM](https://attack.mitre.org/groups/G1012) operations since at least 2022. [IMAPLoader](https://attack.mitre.org/software/S1152) leverages email protocols for command and control and payload delivery.(Citation: PWC Yellow Liderc 2023)", + "meta": { + "external_id": "S1152", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1152", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" + ], + "synonyms": [ + "IMAPLoader" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "356662f7-e315-4759-86c9-6214e2a50ff8", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "type": "uses" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + } + ], + "uuid": "3058b264-fe6b-46be-8948-2d1fadaf8adf", + "value": "IMAPLoader - S1152" + }, { "description": "[AcidRain](https://attack.mitre.org/software/S1125) is an ELF binary targeting modems and routers using MIPS architecture.(Citation: AcidRain JAGS 2022) [AcidRain](https://attack.mitre.org/software/S1125) is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain JAGS 2022) US and European government sources linked [AcidRain](https://attack.mitre.org/software/S1125) to Russian government entities, while Ukrainian government sources linked [AcidRain](https://attack.mitre.org/software/S1125) specifically to [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain State Department 2022)(Citation: Vincens AcidPour 2024)", "meta": { @@ -53139,6 +54780,41 @@ "uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2", "value": "AcidRain - S1125" }, + { + "description": "[Playcrypt](https://attack.mitre.org/software/S1162) is a ransomware that has been used by [Play](https://attack.mitre.org/groups/G1040) since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Playcrypt](https://attack.mitre.org/software/S1162) derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.(Citation: Microsoft PlayCrypt August 2022)(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)", + "meta": { + "external_id": "S1162", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1162", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/PlayCrypt.PA&ThreatID=2147830341", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" + ], + "synonyms": [ + "Playcrypt", + "Play" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "type": "uses" + } + ], + "uuid": "28ad4983-151e-4e30-9792-768470e92b3e", + "value": "Playcrypt - S1162" + }, { "description": "[Phenakite](https://attack.mitre.org/software/S1126) is a mobile malware that is used by [APT-C-23](https://attack.mitre.org/groups/G1028) to target iOS devices. According to several reports, [Phenakite](https://attack.mitre.org/software/S1126) was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)", "meta": { @@ -53303,7 +54979,995 @@ ], "uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656", "value": "Akira - S1129" + }, + { + "description": "[Apostle](https://attack.mitre.org/software/S1133) is malware that has functioned as both a wiper and, in more recent versions, as ransomware. [Apostle](https://attack.mitre.org/software/S1133) is written in .NET and shares various programming and functional overlaps with [IPsec Helper](https://attack.mitre.org/software/S1132).(Citation: SentinelOne Agrius 2021)", + "meta": { + "external_id": "S1133", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://assets.sentinelone.com/sentinellabs/evol-agrius", + "https://attack.mitre.org/software/S1133" + ], + "synonyms": [ + "Apostle" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", + "type": "uses" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "type": "uses" + } + ], + "uuid": "48d96fa0-d027-45aa-a8c3-5d09f65d596d", + "value": "Apostle - S1133" + }, + { + "description": "[DEADWOOD](https://attack.mitre.org/software/S1134) is wiper malware written in C++ using Boost libraries. [DEADWOOD](https://attack.mitre.org/software/S1134) was first observed in an unattributed wiping event in Saudi Arabia in 2019, and has since been incorporated into [Agrius](https://attack.mitre.org/groups/G1030) operations.(Citation: SentinelOne Agrius 2021)", + "meta": { + "external_id": "S1134", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://assets.sentinelone.com/sentinellabs/evol-agrius", + "https://attack.mitre.org/software/S1134" + ], + "synonyms": [ + "DEADWOOD" + ] + }, + "related": [ + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, + { + "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "type": "uses" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "type": "uses" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "uses" + }, + { + "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", + "type": "uses" + } + ], + "uuid": "f2e6af17-3828-4f10-88e7-343591618ddb", + "value": "DEADWOOD - S1134" + }, + { + "description": "[LunarLoader](https://attack.mitre.org/software/S1143) is the loader component for the [LunarWeb](https://attack.mitre.org/software/S1141) and [LunarMail](https://attack.mitre.org/software/S1142) backdoors that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2020 including against a European ministry of foreign affairs (MFA). [LunarLoader](https://attack.mitre.org/software/S1143) has been observed as a standalone and as a part of trojanized open-source software such as AdmPwd.(Citation: ESET Turla Lunar toolset May 2024)", + "meta": { + "external_id": "S1143", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1143", + "https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" + ], + "synonyms": [ + "LunarLoader" + ] + }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "type": "uses" + } + ], + "uuid": "6490afef-d88e-4e2b-b9d9-a472508ca59d", + "value": "LunarLoader - S1143" + }, + { + "description": "[Moneybird](https://attack.mitre.org/software/S1137) is a ransomware variant written in C++ associated with [Agrius](https://attack.mitre.org/groups/G1030) operations. The name \"Moneybird\" is contained in the malware's ransom note and as strings in the executable.(Citation: CheckPoint Agrius 2023)", + "meta": { + "external_id": "S1137", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1137", + "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/" + ], + "synonyms": [ + "Moneybird" + ] + }, + "related": [ + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + } + ], + "uuid": "47ab6350-054f-4754-ba4d-e52a4e8751e2", + "value": "Moneybird - S1137" + }, + { + "description": "[Gootloader](https://attack.mitre.org/software/S1138) is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, [Cobalt Strike](https://attack.mitre.org/software/S0154), [REvil](https://attack.mitre.org/software/S0496), and others. [Gootloader](https://attack.mitre.org/software/S1138) operates on an \"Initial Access as a Service\" model and has leveraged [SEO Poisoning](https://attack.mitre.org/techniques/T1608/006) to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)", + "meta": { + "external_id": "S1138", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1138", + "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/", + "https://www.sentinelone.com/labs/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/" + ], + "synonyms": [ + "Gootloader" + ] + }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "uses" + }, + { + "dest-uuid": "ae797531-3219-49a4-bccf-324ad7a4c7b2", + "type": "uses" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "uses" + }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + }, + { + "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", + "type": "uses" + } + ], + "uuid": "396c18b9-26fb-4435-8589-fb856502e4c4", + "value": "Gootloader - S1138" + }, + { + "description": "[VersaMem](https://attack.mitre.org/software/S1154) is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, [VersaMem](https://attack.mitre.org/software/S1154) was used during [Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) by [Volt Typhoon](https://attack.mitre.org/groups/G1017) to target ISPs and MSPs. [VersaMem](https://attack.mitre.org/software/S1154) is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.(Citation: Lumen Versa 2024)", + "meta": { + "external_id": "S1154", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1154", + "https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/" + ], + "synonyms": [ + "VersaMem" + ] + }, + "related": [ + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", + "type": "uses" + } + ], + "uuid": "0a6ec267-83a9-41a5-98c7-57c3ff81e11f", + "value": "VersaMem - S1154" + }, + { + "description": "[Pikabot](https://attack.mitre.org/software/S1145) is a backdoor used for initial access and follow-on tool deployment active since early 2023. [Pikabot](https://attack.mitre.org/software/S1145) is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. [Pikabot](https://attack.mitre.org/software/S1145) has some overlaps with [QakBot](https://attack.mitre.org/software/S0650), but insufficient evidence exists to definitively link these two malware families. [Pikabot](https://attack.mitre.org/software/S1145) is frequently used to deploy follow on tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154) or ransomware variants.(Citation: Zscaler Pikabot 2023)(Citation: Elastic Pikabot 2024)(Citation: Logpoint Pikabot 2024)", + "meta": { + "external_id": "S1145", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1145", + "https://www.elastic.co/security-labs/pikabot-i-choose-you", + "https://www.logpoint.com/wp-content/uploads/2024/02/logpoint-etpr-pikabot.pdf", + "https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot" + ], + "synonyms": [ + "Pikabot" + ] + }, + "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "type": "uses" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "type": "uses" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "type": "uses" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "uses" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "uses" + }, + { + "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "type": "uses" + }, + { + "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", + "type": "uses" + } + ], + "uuid": "02739f57-7585-4319-acd3-794ae8ff3a70", + "value": "Pikabot - S1145" + }, + { + "description": "[MgBot](https://attack.mitre.org/software/S1146) is a modular malware framework exclusively associated with [Daggerfly](https://attack.mitre.org/groups/G1034) operations since at least 2012. [MgBot](https://attack.mitre.org/software/S1146) was developed in C++ and features a module design with multiple available plugins that have been under active development through 2024.(Citation: Szappanos MgBot 2014)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2024)", + "meta": { + "external_id": "S1146", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1146", + "https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset", + "https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack", + "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" + ], + "synonyms": [ + "MgBot" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "type": "uses" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "uses" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "uses" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "type": "uses" + } + ], + "uuid": "a36eedea-9523-4abb-96e8-205f171ee763", + "value": "MgBot - S1146" + }, + { + "description": "[Nightdoor](https://attack.mitre.org/software/S1147) is a backdoor exclusively associated with [Daggerfly](https://attack.mitre.org/groups/G1034) operations. [Nightdoor](https://attack.mitre.org/software/S1147) uses common libraries with [MgBot](https://attack.mitre.org/software/S1146) and [MacMa](https://attack.mitre.org/software/S1016), linking these malware families together.(Citation: ESET EvasivePanda 2024)(Citation: Symantec Daggerfly 2024)", + "meta": { + "external_id": "S1147", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1147", + "https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset", + "https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/" + ], + "synonyms": [ + "Nightdoor" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "uses" + } + ], + "uuid": "51f78dfc-52f9-424e-8753-bb4246188313", + "value": "Nightdoor - S1147" + }, + { + "description": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) is a backdoor malware that was deployed during [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) along with [ROADSWEEP](https://attack.mitre.org/software/S1150) ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.(Citation: Mandiant ROADSWEEP August 2022)", + "meta": { + "external_id": "S1149", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1149", + "https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" + ], + "synonyms": [ + "CHIMNEYSWEEP" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "uses" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "type": "uses" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "type": "uses" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "uses" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", + "type": "uses" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "type": "uses" + } + ], + "uuid": "542e3384-341a-455b-bb48-4917b25e3b00", + "value": "CHIMNEYSWEEP - S1149" + }, + { + "description": "[Manjusaka](https://attack.mitre.org/software/S1156) is a Chinese-language intrusion framework, similar to [Sliver](https://attack.mitre.org/software/S0633) and [Cobalt Strike](https://attack.mitre.org/software/S0154), with an ELF binary written in GoLang as the controller for Windows and Linux implants written in Rust. First identified in 2022, [Manjusaka](https://attack.mitre.org/software/S1156) consists of multiple components, only one of which (a command and control module) is freely available.(Citation: Talos Manjusaka 2022)", + "meta": { + "external_id": "S1156", + "mitre_platforms": [ + "Linux", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1156", + "https://blog.talosintelligence.com/manjusaka-offensive-framework/" + ], + "synonyms": [ + "Manjusaka" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "uses" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + } + ], + "uuid": "dd2ad3d7-d7ef-4af5-a919-bfe8f2571705", + "value": "Manjusaka - S1156" + }, + { + "description": "[DUSTPAN](https://attack.mitre.org/software/S1158) is an in-memory dropper written in C/C++ used by [APT41](https://attack.mitre.org/groups/G0096) since 2021 that decrypts and executes an embedded payload.(Citation: Google Cloud APT41 2024)(Citation: Google Cloud APT41 2022)", + "meta": { + "external_id": "S1158", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1158", + "https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust", + "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments" + ], + "synonyms": [ + "DUSTPAN" + ] + }, + "related": [ + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "uses" + } + ], + "uuid": "37487ff6-de2a-4c14-9e8b-ba3b97f78aaf", + "value": "DUSTPAN - S1158" + }, + { + "description": "[DUSTTRAP](https://attack.mitre.org/software/S1159) is a multi-stage plugin framework associated with [APT41](https://attack.mitre.org/groups/G0096) operations with multiple components.(Citation: Google Cloud APT41 2024)", + "meta": { + "external_id": "S1159", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1159", + "https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" + ], + "synonyms": [ + "DUSTTRAP" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "uses" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "uses" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "uses" + } + ], + "uuid": "33139388-de0c-49ff-862a-041c315b142d", + "value": "DUSTTRAP - S1159" } ], - "version": 34 + "version": 35 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index d7f652a..9f27ed1 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -17,8 +17,8 @@ "Windows" ], "refs": [ - "http://www.ampliasecurity.com/research/wcefaq.html", - "https://attack.mitre.org/software/S0005" + "https://attack.mitre.org/software/S0005", + "https://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html" ], "synonyms": [ "Windows Credential Editor", @@ -135,6 +135,10 @@ "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, + { + "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", + "type": "uses" + }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" @@ -333,6 +337,10 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, + { + "dest-uuid": "a718a0c8-5768-41a1-9958-a1cc3f995e99", + "type": "uses" + }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" @@ -341,10 +349,6 @@ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -1150,7 +1154,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0250", - "https://github.com/zerosum0x0/koadic", + "https://github.com/offsecginger/koadic", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" ], @@ -1357,6 +1361,10 @@ "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, + { + "dest-uuid": "3e6831b2-bf4c-4ae6-b328-2e7c6633b291", + "type": "uses" + }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" @@ -2053,6 +2061,9 @@ "https://attack.mitre.org/software/S0191", "https://github.com/skalkoto/winexe/", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" + ], + "synonyms": [ + "Winexe" ] }, "related": [ @@ -2358,9 +2369,8 @@ "meta": { "external_id": "S0413", "mitre_platforms": [ - "Office 365", "Windows", - "Azure AD" + "Office Suite" ], "refs": [ "https://attack.mitre.org/software/S0413", @@ -3455,6 +3465,14 @@ "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "type": "uses" + }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" @@ -3475,6 +3493,10 @@ "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "type": "uses" + }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" @@ -3507,10 +3529,18 @@ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, + { + "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", + "type": "uses" + }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "type": "uses" + }, { "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", "type": "uses" @@ -4191,6 +4221,10 @@ "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, + { + "dest-uuid": "394220d9-8efc-4252-9040-664f7b115be6", + "type": "uses" + }, { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "type": "uses" @@ -4221,7 +4255,7 @@ "external_id": "S0358", "mitre_platforms": [ "Windows", - "Office 365" + "Office Suite" ], "refs": [ "https://attack.mitre.org/software/S0358", @@ -4509,6 +4543,9 @@ "description": "[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)", "meta": { "external_id": "S0684", + "mitre_platforms": [ + "Identity Provider" + ], "refs": [ "https://attack.mitre.org/software/S0684", "https://github.com/dirkjanm/ROADtools" @@ -4734,8 +4771,8 @@ "external_id": "S0677", "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365" + "Office Suite", + "Identity Provider" ], "refs": [ "https://attack.mitre.org/software/S0677", @@ -4924,7 +4961,184 @@ ], "uuid": "d505fc8b-2e64-46eb-96d6-9ef7ffca5b66", "value": "Mythic - S0699" + }, + { + "description": "NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.(Citation: Huntress NPPSPY 2022)(Citation: Polak NPPSPY 2004)", + "meta": { + "external_id": "S1131", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1131", + "https://www.blackhat.com/presentations/win-usa-04/bh-win-04-polak/bh-win-04-polak2.pdf", + "https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy" + ], + "synonyms": [ + "NPPSPY" + ] + }, + "related": [ + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "type": "uses" + }, + { + "dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada", + "type": "uses" + } + ], + "uuid": "0630d1a7-54da-4a48-a6af-eb8a62b13c17", + "value": "NPPSPY - S1131" + }, + { + "description": "[FRP](https://attack.mitre.org/software/S1144), which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. [FRP](https://attack.mitre.org/software/S1144) can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.(Citation: FRP GitHub)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: RedCanary Mockingbird May 2020)(Citation: DFIR Phosphorus November 2021)", + "meta": { + "external_id": "S1144", + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1144", + "https://github.com/fatedier/frp", + "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", + "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" + ], + "synonyms": [ + "FRP" + ] + }, + "related": [ + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "uses" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "type": "uses" + } + ], + "uuid": "36dd807e-b5bc-4c3e-91ed-80682360148c", + "value": "FRP - S1144" + }, + { + "description": "[Covenant](https://attack.mitre.org/software/S1155) is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as [HAFNIUM](https://attack.mitre.org/groups/G0125) during operations. [Covenant](https://attack.mitre.org/software/S1155) functions through a central listener managing multiple deployed \"Grunts\" that communicate back to the controller.(Citation: Github Covenant)(Citation: Microsoft HAFNIUM March 2020)", + "meta": { + "external_id": "S1155", + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1155", + "https://github.com/cobbr/Covenant", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" + ], + "synonyms": [ + "Covenant" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "type": "uses" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + } + ], + "uuid": "05fb53c8-e2ac-4e17-a0c9-a0825e1198bf", + "value": "Covenant - S1155" } ], - "version": 32 + "version": 33 } diff --git a/galaxies/mitre-attack-pattern.json b/galaxies/mitre-attack-pattern.json index 50d3e5c..17336b9 100644 --- a/galaxies/mitre-attack-pattern.json +++ b/galaxies/mitre-attack-pattern.json @@ -2,17 +2,6 @@ "description": "ATT&CK Tactic", "icon": "map", "kill_chain_order": { - "attack-Azure-AD": [ - "initial-access", - "execution", - "persistence", - "privilege-escalation", - "defense-evasion", - "credential-access", - "discovery", - "lateral-movement", - "impact" - ], "attack-Containers": [ "initial-access", "execution", @@ -24,19 +13,6 @@ "lateral-movement", "impact" ], - "attack-Google-Workspace": [ - "initial-access", - "execution", - "persistence", - "privilege-escalation", - "defense-evasion", - "credential-access", - "discovery", - "lateral-movement", - "collection", - "exfiltration", - "impact" - ], "attack-IaaS": [ "initial-access", "execution", @@ -50,6 +26,16 @@ "exfiltration", "impact" ], + "attack-Identity-Provider": [ + "initial-access", + "execution", + "persistence", + "privilege-escalation", + "defense-evasion", + "credential-access", + "discovery", + "lateral-movement" + ], "attack-Linux": [ "initial-access", "execution", @@ -79,6 +65,11 @@ "impact" ], "attack-Office-365": [ + "initial-access", + "defense-evasion", + "lateral-movement" + ], + "attack-Office-Suite": [ "initial-access", "execution", "persistence", @@ -192,5 +183,5 @@ "namespace": "mitre-attack", "type": "mitre-attack-pattern", "uuid": "c4e851fa-775f-11e7-8163-b774922098cd", - "version": 10 + "version": 11 }