From e259458d5ae29c360950779bca7deb065197d160 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 27 Sep 2022 07:30:13 +0200 Subject: [PATCH] chg: [mitre] bump to v11.3 --- clusters/mitre-attack-pattern.json | 2541 ++++++++++++++++++++---- clusters/mitre-course-of-action.json | 1020 +++++----- clusters/mitre-intrusion-set.json | 178 +- clusters/mitre-malware.json | 2717 ++++++++++---------------- clusters/mitre-tool.json | 80 +- 5 files changed, 3721 insertions(+), 2815 deletions(-) diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index 9f4d03e..7ef8b0b 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -378,15 +378,7 @@ "https://attack.mitre.org/techniques/T1445" ] }, - "related": [ - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", "value": "Abuse of iOS Enterprise App Signing Key - T1445" }, @@ -755,6 +747,37 @@ "uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "value": "Windows File and Directory Permissions Modification - T1222.001" }, + { + "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)", + "meta": { + "external_id": "SPC-15", + "kill_chain": [ + "mitre-mobile-attack:initial-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1474/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", + "https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf" + ] + }, + "related": [ + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "type": "subtechnique-of" + } + ], + "uuid": "7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", + "value": "Compromise Software Dependencies and Development Tools - T1474.001" + }, { "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.", "meta": { @@ -943,6 +966,15 @@ "https://www.youtube.com/watch?v=q0n5ySqbfdI" ] }, + "related": [ + { + "dest-uuid": "0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "52651225-0b3a-482d-aa7e-10618fd063b5", "value": "Exploit SS7 to Track Device Location - T1450" }, @@ -974,15 +1006,7 @@ "https://attack.mitre.org/techniques/T1441" ] }, - "related": [ - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881", "value": "Stolen Developer Credentials or Signing Keys - T1441" }, @@ -1060,6 +1084,15 @@ "https://attack.mitre.org/techniques/T1452" ] }, + "related": [ + { + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "value": "Manipulate App Store Rankings or Ratings - T1452" }, @@ -1308,53 +1341,6 @@ "uuid": "b3253d9e-ba11-430f-b5a3-4db844ce5413", "value": "Unauthorized user introduces compromise delivery mechanism - T1387" }, - { - "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.\n\nIf the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.", - "meta": { - "external_id": "APP-27", - "kill_chain": [ - "mitre-mobile-attack:defense-evasion", - "mitre-mobile-attack:persistence" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1398", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", - "https://www.apple.com/business/docs/iOS_Security_Guide.pdf", - "https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered" - ] - }, - "uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", - "value": "Modify OS Kernel or Boot Partition - T1398" - }, - { - "description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection(Citation: Krebs-JuiceJacking).\n\nPrevious demonstrations have included:\n\n* Injecting malicious applications into iOS devices(Citation: Lau-Mactans).\n* Exploiting a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location(Citation: IBM-NexusUSB).\n* Exploiting Android devices such as the Google Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal).\n\nProducts from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices(Citation: Computerworld-iPhoneCracking).", - "meta": { - "external_id": "PHY-1", - "kill_chain": [ - "mitre-mobile-attack:initial-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/", - "https://attack.mitre.org/techniques/T1458", - "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html", - "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf", - "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", - "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/", - "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html" - ] - }, - "uuid": "667e5707-3843-4da8-bd34-88b922526f0d", - "value": "Exploit via Charging Station or PC - T1458" - }, { "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)", "meta": { @@ -1466,6 +1452,31 @@ "uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "value": "Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003" }, + { + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.", + "meta": { + "external_id": "APP-30", + "kill_chain": [ + "mitre-mobile-attack:exfiltration" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1639/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html" + ] + }, + "related": [ + { + "dest-uuid": "3e091a89-a493-4a6c-8e88-d57be19bb98d", + "type": "subtechnique-of" + } + ], + "uuid": "37047267-3e56-453c-833e-d92b68118120", + "value": "Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001" + }, { "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.", "meta": { @@ -2009,6 +2020,15 @@ "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/" ] }, + "related": [ + { + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", "value": "Network Traffic Capture or Redirection - T1410" }, @@ -2130,7 +2150,7 @@ "value": "Data from Network Shared Drive - T1039" }, { - "description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.(Citation: Poeplau-ExecuteThis)\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability.(Citation: Bromium-AndroidRCE)\n\nOn iOS, techniques also exist for executing dynamic code downloaded after application installation.(Citation: FireEye-JSPatch)(Citation: Wang)", + "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ", "meta": { "external_id": "APP-20", "kill_chain": [ @@ -2142,11 +2162,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1407", - "https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/", "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", - "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html", - "https://www.internetsociety.org/sites/default/files/10_5_0.pdf", - "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei" + "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html" ] }, "uuid": "6c49d50f-494d-4150-b774-a655022d20a6", @@ -2245,15 +2262,7 @@ "https://attack.mitre.org/techniques/T1431" ] }, - "related": [ - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2", "value": "App Delivered via Web Download - T1431" }, @@ -2609,15 +2618,7 @@ "https://attack.mitre.org/techniques/T1434" ] }, - "related": [ - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2", "value": "App Delivered via Email Attachment - T1434" }, @@ -2684,6 +2685,34 @@ "uuid": "0e6abb17-0f81-4988-9fd2-4ba0b673d729", "value": "Automated system performs requested action - T1384" }, + { + "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ", + "meta": { + "external_id": "APP-30", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1438", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html" + ] + }, + "related": [ + { + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], + "uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "value": "Exfiltration Over Other Network Medium - T1438" + }, { "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)", "meta": { @@ -2702,6 +2731,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html" ] }, + "related": [ + { + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "393e8c12-a416-4575-ba90-19cc85656796", "value": "Eavesdrop on Insecure Network Communication - T1439" }, @@ -2819,31 +2857,25 @@ "value": "Compromise of externally facing system - T1388" }, { - "description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)", + "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ", "meta": { - "external_id": "GPS-0", + "external_id": "APP-27", "kill_chain": [ - "mitre-mobile-attack:network-effects" + "mitre-mobile-attack:persistence" ], "mitre_platforms": [ "Android", "iOS" ], "refs": [ - "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf", - "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/", - "https://attack.mitre.org/techniques/T1464", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", - "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", - "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", - "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/", - "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/", - "https://www.nytimes.com/2007/11/04/technology/04jammer.html" + "https://attack.mitre.org/techniques/T1398", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "https://source.android.com/security/verifiedboot/" ] }, - "uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", - "value": "Jamming or Denial of Service - T1464" + "uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "value": "Boot or Logon Initialization Scripts - T1398" }, { "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.", @@ -2902,6 +2934,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html" ] }, + "related": [ + { + "dest-uuid": "9ef05e3d-52db-4c12-be4f-519214bbe91f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "6f86d346-f092-4abc-80df-8558a90c426a", "value": "Remotely Track Device Without Authorization - T1468" }, @@ -2945,6 +2986,15 @@ "https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security" ] }, + "related": [ + { + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", "value": "Install Insecure or Malicious Configuration - T1478" }, @@ -3131,6 +3181,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html" ] }, + "related": [ + { + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3", "value": "Rogue Wi-Fi Access Points - T1465" }, @@ -3233,6 +3292,34 @@ "uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "value": "Distributed Component Object Model - T1021.003" }, + { + "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ", + "meta": { + "external_id": "EMM-7", + "kill_chain": [ + "mitre-mobile-attack:collection", + "mitre-mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1430/001", + "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", + "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html" + ] + }, + "related": [ + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "type": "subtechnique-of" + } + ], + "uuid": "9ef05e3d-52db-4c12-be4f-519214bbe91f", + "value": "Remote Device Management Services - T1430.001" + }, { "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ", "meta": { @@ -3458,6 +3545,55 @@ "uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "value": "Create Process with Token - T1134.002" }, + { + "description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.", + "meta": { + "external_id": "STA-7", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1632/001", + "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html" + ] + }, + "related": [ + { + "dest-uuid": "79cb02f4-ac4e-4335-8b51-425c9573cce1", + "type": "subtechnique-of" + } + ], + "uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "value": "Code Signing Policy Modification - T1632.001" + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.", + "meta": { + "external_id": "APP-27", + "kill_chain": [ + "mitre-mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1625/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html" + ] + }, + "related": [ + { + "dest-uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd", + "type": "subtechnique-of" + } + ], + "uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", + "value": "System Runtime API Hijacking - T1625.001" + }, { "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)", "meta": { @@ -3856,6 +3992,64 @@ "uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", "value": "Impair Command History Logging - T1562.003" }, + { + "description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.", + "meta": { + "external_id": "T1629.003", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1629/003" + ] + }, + "related": [ + { + "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", + "type": "subtechnique-of" + } + ], + "uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "value": "Disable or Modify Tools - T1629.003" + }, + { + "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ", + "meta": { + "external_id": "SPC-21", + "kill_chain": [ + "mitre-mobile-attack:initial-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1474/002", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html" + ] + }, + "related": [ + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "type": "subtechnique-of" + } + ], + "uuid": "c08366bb-8d11-4921-853f-f0a3b6a2a1da", + "value": "Compromise Hardware Supply Chain - T1474.002" + }, { "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)", "meta": { @@ -3991,6 +4185,35 @@ "uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "value": "Exfiltration to Cloud Storage - T1567.002" }, + { + "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.", + "meta": { + "external_id": "SPC-20", + "kill_chain": [ + "mitre-mobile-attack:initial-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1474/003", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html" + ] + }, + "related": [ + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "type": "subtechnique-of" + } + ], + "uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", + "value": "Compromise Software Supply Chain - T1474.003" + }, { "description": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.", "meta": { @@ -4651,17 +4874,19 @@ "value": "Change Default File Association - T1042" }, { - "description": "On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.", + "description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ", "meta": { - "external_id": "T1420", + "external_id": "STA-41", "kill_chain": [ "mitre-mobile-attack:discovery" ], "mitre_platforms": [ - "Android" + "Android", + "iOS" ], "refs": [ - "https://attack.mitre.org/techniques/T1420" + "https://attack.mitre.org/techniques/T1420", + "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html" ] }, "uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", @@ -4847,6 +5072,25 @@ "uuid": "4579d9c9-d5b9-45e0-9848-0104637b579f", "value": "Credentials from Web Browsers - T1503" }, + { + "description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.", + "meta": { + "external_id": "APP-43", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "iOS", + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1630", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html" + ] + }, + "uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "value": "Indicator Removal on Host - T1630" + }, { "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information.(Citation: US-CERT-TA18-106A)", "meta": { @@ -4933,18 +5177,29 @@ "https://attack.mitre.org/techniques/T1440" ] }, - "related": [ - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b", "value": "Detect App Analysis Environment - T1440" }, + { + "description": "Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", + "meta": { + "external_id": "APP-26", + "kill_chain": [ + "mitre-mobile-attack:privilege-escalation" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1404", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html" + ] + }, + "uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "value": "Exploitation for Privilege Escalation - T1404" + }, { "description": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.\n\n### Services\n\nManipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.\n\n### Executable Installers\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)", "meta": { @@ -4978,7 +5233,7 @@ "value": "File System Permissions Weakness - T1044" }, { - "description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.(Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS)", + "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ", "meta": { "external_id": "APP-21", "kill_chain": [ @@ -4989,12 +5244,9 @@ "iOS" ], "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/", - "http://ieeexplore.ieee.org/document/6234407", - "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", - "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao", "https://attack.mitre.org/techniques/T1406", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html" + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", + "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" ] }, "uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", @@ -5051,27 +5303,6 @@ "uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "value": "Exfiltration Over Alternative Protocol - T1048" }, - { - "description": "Adversaries may access and collect application data resident on the device. Adversaries often target popular applications such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019)\n\nThis technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).", - "meta": { - "external_id": "AUT-0", - "kill_chain": [ - "mitre-mobile-attack:collection", - "mitre-mobile-attack:credential-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1409", - "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html", - "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" - ] - }, - "uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "value": "Access Stored Application Data - T1409" - }, { "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.\n\nUtilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used.(Citation: US-CERT-TA18-106A)", "meta": { @@ -5452,7 +5683,7 @@ "value": "Data from Information Repositories - T1213" }, { - "description": "On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.", "meta": { "external_id": "T1421", "kill_chain": [ @@ -5462,8 +5693,7 @@ "Android" ], "refs": [ - "https://attack.mitre.org/techniques/T1421", - "https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en" + "https://attack.mitre.org/techniques/T1421" ] }, "uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", @@ -5733,7 +5963,7 @@ "value": "Elevated Execution with Prompt - T1514" }, { - "description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.", + "description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.", "meta": { "external_id": "APP-28", "kill_chain": [ @@ -5825,7 +6055,7 @@ "value": "Cloud Storage Object Discovery - T1619" }, { - "description": "On Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) The Android `TelephonyManager` class can be used to gather related information such as the IMSI, IMEI, and phone number.(Citation: TelephonyManager)\n\nOn iOS, gathering network configuration information is not possible without root access.", + "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems. \n\n \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", "meta": { "external_id": "T1422", "kill_chain": [ @@ -5900,6 +6130,25 @@ "uuid": "e754fa49-2db1-416b-92db-7f886decd099", "value": "Generate analyst intelligence requirements - T1234" }, + { + "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java’s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ", + "meta": { + "external_id": "T1623", + "kill_chain": [ + "mitre-mobile-attack:execution" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1623", + "https://partner.samsungknox.com/mtd" + ] + }, + "uuid": "29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "value": "Command and Scripting Interpreter - T1623" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1263).\n\nSecurity defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)", "meta": { @@ -5942,6 +6191,45 @@ "uuid": "fe421ab9-c8f3-42f7-9ae1-5d6c324cc925", "value": "Analyze application security posture - T1293" }, + { + "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", + "meta": { + "external_id": "APP-29", + "kill_chain": [ + "mitre-mobile-attack:exfiltration" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1646", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html" + ] + }, + "uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "value": "Exfiltration Over C2 Channel - T1646" + }, + { + "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", + "meta": { + "external_id": "T1642", + "kill_chain": [ + "mitre-mobile-attack:impact" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/", + "https://attack.mitre.org/techniques/T1642", + "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)" + ] + }, + "uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "value": "Endpoint Denial of Service - T1642" + }, { "description": "As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.\n\nDetection: Enterprises could deploy integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.\n\nPlatforms: Android, iOS", "meta": { @@ -5991,6 +6279,15 @@ "https://attack.mitre.org/techniques/T1472" ] }, + "related": [ + { + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", "value": "Generate Fraudulent Advertising Revenue - T1472" }, @@ -6008,6 +6305,25 @@ "uuid": "7dae871c-effc-444b-9962-4b7efefe7d40", "value": "Identify sensitive personnel information - T1274" }, + { + "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ", + "meta": { + "external_id": "APP-32", + "kill_chain": [ + "mitre-mobile-attack:lateral-movement" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1428", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html" + ] + }, + "uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", + "value": "Exploitation of Remote Services - T1428" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1256).\n\nAn adversary can attempt to identify web defensive services as [CloudFlare](https://www.cloudflare.com), [IPBan](https://github.com/jjxtra/Windows-IP-Ban-Service), and [Snort](https://www.snort.org). This may be done by passively detecting services, like [CloudFlare](https://www.cloudflare.com) routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)", "meta": { @@ -6077,6 +6393,24 @@ "uuid": "09312b1a-c3c6-4b45-9844-3ccc78e5d82f", "value": "Gather Victim Host Information - T1592" }, + { + "description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ", + "meta": { + "external_id": "APP-22", + "kill_chain": [ + "mitre-mobile-attack:privilege-escalation" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1626", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html" + ] + }, + "uuid": "08ea902d-ecb5-47ed-a453-2798057bb2d3", + "value": "Abuse Elevation Control Mechanism - T1626" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1269).\n\nThe attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)", "meta": { @@ -6092,9 +6426,9 @@ "value": "Identify people of interest - T1269" }, { - "description": "Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system.\n\nLocal system data includes information stored by the operating system. Access to local system data often requires escalated privileges (e.g. root access). Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos.", + "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ", "meta": { - "external_id": "T1533", + "external_id": "STA-41", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -6103,7 +6437,8 @@ "iOS" ], "refs": [ - "https://attack.mitre.org/techniques/T1533" + "https://attack.mitre.org/techniques/T1533", + "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html" ] }, "uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", @@ -6124,25 +6459,41 @@ "value": "Post compromise tool development - T1353" }, { - "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.(Citation: Kaspersky-MobileMalware)", + "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "meta": { - "external_id": "APP-29", + "external_id": "AUT-11", "kill_chain": [ - "mitre-mobile-attack:command-and-control", - "mitre-mobile-attack:exfiltration" + "mitre-mobile-attack:credential-access" + ], + "mitre_platforms": [ + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1634", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html" + ] + }, + "uuid": "cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "value": "Credentials from Password Store - T1634" + }, + { + "description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS", + "meta": { + "external_id": "APP-16", + "kill_chain": [ + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", "iOS" ], "refs": [ - "https://attack.mitre.org/techniques/T1437", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", - "https://securelist.com/mobile-malware-evolution-2013/58335/" + "https://attack.mitre.org/techniques/T1643", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html" ] }, - "uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "value": "Standard Application Layer Protocol - T1437" + "uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", + "value": "Generate Traffic from Victim - T1643" }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1349).\n\nAn exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)", @@ -6174,6 +6525,29 @@ "uuid": "eacadff4-164b-451c-bacc-7b29ebfd0c3f", "value": "Create infected removable media - T1355" }, + { + "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.", + "meta": { + "external_id": "T1635", + "kill_chain": [ + "mitre-mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1635", + "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/", + "https://developer.android.com/training/app-links/index.html", + "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols", + "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow", + "https://tools.ietf.org/html/rfc8252" + ] + }, + "uuid": "233fe2c0-cb41-4765-b454-e0087597fbce", + "value": "Steal Application Access Token - T1635" + }, { "description": "Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.\n\nAdversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)", "meta": { @@ -6247,6 +6621,25 @@ "uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1", "value": "Targeted social media phishing - T1366" }, + { + "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ", + "meta": { + "external_id": "APP-30", + "kill_chain": [ + "mitre-mobile-attack:exfiltration" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1639", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html" + ] + }, + "uuid": "3e091a89-a493-4a6c-8e88-d57be19bb98d", + "value": "Exfiltration Over Alternative Protocol - T1639" + }, { "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)", "meta": { @@ -6291,6 +6684,51 @@ "uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", "value": "Masquerade as Legitimate Application - T1444" }, + { + "description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ", + "meta": { + "external_id": "T1644", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1644" + ] + }, + "uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "value": "Out of Band Data - T1644" + }, + { + "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)", + "meta": { + "external_id": "GPS-0", + "kill_chain": [ + "mitre-mobile-attack:impact" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf", + "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/", + "https://attack.mitre.org/techniques/T1464", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", + "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", + "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", + "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/", + "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/", + "https://www.nytimes.com/2007/11/04/technology/04jammer.html" + ] + }, + "uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", + "value": "Network Denial of Service - T1464" + }, { "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.", "meta": { @@ -6316,6 +6754,26 @@ "uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "value": "Compromise Client Software Binary - T1554" }, + { + "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ", + "meta": { + "external_id": "APP-27", + "kill_chain": [ + "mitre-mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1645", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "https://source.android.com/security/verifiedboot/" + ] + }, + "uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "value": "Compromise Client Software Binary - T1645" + }, { "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.", "meta": { @@ -6345,6 +6803,33 @@ "uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "value": "Abuse Elevation Control Mechanism - T1548" }, + { + "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ", + "meta": { + "external_id": "STA-6", + "kill_chain": [ + "mitre-mobile-attack:initial-access", + "mitre-mobile-attack:lateral-movement" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/", + "https://attack.mitre.org/techniques/T1458", + "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html", + "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf", + "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", + "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", + "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html", + "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/", + "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html" + ] + }, + "uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "value": "Replication Through Removable Media - T1458" + }, { "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", "meta": { @@ -6362,6 +6847,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html" ] }, + "related": [ + { + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "f58cd69a-e548-478b-9248-8a9af881dc34", "value": "Downgrade to Insecure Protocols - T1466" }, @@ -6382,6 +6876,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html" ] }, + "related": [ + { + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed", "value": "Rogue Cellular Base Station - T1467" }, @@ -7030,6 +7533,34 @@ "uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "value": "SMB/Windows Admin Shares - T1021.002" }, + { + "description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)", + "meta": { + "external_id": "EMM-5", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", + "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions", + "https://attack.mitre.org/techniques/T1630/003", + "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf", + "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html" + ] + }, + "related": [ + { + "dest-uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "type": "subtechnique-of" + } + ], + "uuid": "a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", + "value": "Disguise Root/Jailbreak Indicators - T1630.003" + }, { "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)", "meta": { @@ -7458,6 +7989,30 @@ "uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "value": "File Transfer Protocols - T1071.002" }, + { + "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", + "meta": { + "external_id": "APP-43", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1630/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html" + ] + }, + "related": [ + { + "dest-uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "type": "subtechnique-of" + } + ], + "uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "value": "Uninstall Malicious Application - T1630.001" + }, { "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.", "meta": { @@ -7662,6 +8217,37 @@ "uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "value": "Additional Cloud Credentials - T1098.001" }, + { + "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)", + "meta": { + "external_id": "CEL-38", + "kill_chain": [ + "mitre-mobile-attack:collection", + "mitre-mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", + "https://attack.mitre.org/techniques/T1430/002", + "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", + "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", + "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", + "https://www.youtube.com/watch?v=q0n5ySqbfdI" + ] + }, + "related": [ + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "type": "subtechnique-of" + } + ], + "uuid": "0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "value": "Impersonate SS7 Nodes - T1430.002" + }, { "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)", "meta": { @@ -8654,6 +9240,34 @@ "uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", "value": "Email Forwarding Rule - T1114.003" }, + { + "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.", + "meta": { + "external_id": "T1631.001", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion", + "mitre-mobile-attack:privilege-escalation" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "http://man7.org/linux/man-pages/man2/ptrace.2.html", + "https://attack.mitre.org/techniques/T1631/001", + "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf", + "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be" + ] + }, + "related": [ + { + "dest-uuid": "b7c0e45f-0206-4f75-96e7-fe7edad3aaff", + "type": "subtechnique-of" + } + ], + "uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "value": "Ptrace System Calls - T1631.001" + }, { "description": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) \n\nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.", "meta": { @@ -8729,6 +9343,79 @@ "uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "value": "System Language Discovery - T1614.001" }, + { + "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", + "meta": { + "external_id": "T1641.001", + "kill_chain": [ + "mitre-mobile-attack:impact" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1641/001", + "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/" + ] + }, + "related": [ + { + "dest-uuid": "c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", + "type": "subtechnique-of" + } + ], + "uuid": "74e6003f-c7f4-4047-983b-708cc19b96b6", + "value": "Transmitted Data Manipulation - T1641.001" + }, + { + "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ", + "meta": { + "external_id": "T1481.001", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1481/001" + ] + }, + "related": [ + { + "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "type": "subtechnique-of" + } + ], + "uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5", + "value": "Dead Drop Resolver - T1481.001" + }, + { + "description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ", + "meta": { + "external_id": "APP-12", + "kill_chain": [ + "mitre-mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1418/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html" + ] + }, + "related": [ + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "type": "subtechnique-of" + } + ], + "uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", + "value": "Security Software Discovery - T1418.001" + }, { "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)", "meta": { @@ -8830,6 +9517,42 @@ "uuid": "ed730f20-0e44-48b9-85f8-0e2adeb76867", "value": "Determine Physical Locations - T1591.001" }, + { + "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)", + "meta": { + "external_id": "APP-31", + "kill_chain": [ + "mitre-mobile-attack:credential-access", + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "http://cloak-and-dagger.org/", + "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf", + "https://attack.mitre.org/techniques/T1417/002", + "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf", + "https://developer.android.com/guide/components/activities/background-starts", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "https://www.group-ib.com/blog/gustuff", + "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/", + "https://www.skycure.com/blog/accessibility-clickjacking/", + "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/", + "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/" + ] + }, + "related": [ + { + "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "type": "subtechnique-of" + } + ], + "uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "value": "GUI Input Capture - T1417.002" + }, { "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)", "meta": { @@ -8905,6 +9628,82 @@ "uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "value": "Disk Structure Wipe - T1561.002" }, + { + "description": "Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", + "meta": { + "external_id": "APP-22", + "kill_chain": [ + "mitre-mobile-attack:privilege-escalation" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1626/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html" + ] + }, + "related": [ + { + "dest-uuid": "08ea902d-ecb5-47ed-a453-2798057bb2d3", + "type": "subtechnique-of" + } + ], + "uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "value": "Device Administrator Permissions - T1626.001" + }, + { + "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", + "meta": { + "external_id": "T1628.001", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1628/001", + "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist", + "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons", + "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker", + "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/", + "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" + ] + }, + "related": [ + { + "dest-uuid": "fc53309d-ebd5-4573-9242-57024ebdad4f", + "type": "subtechnique-of" + } + ], + "uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "value": "Suppress Application Icon - T1628.001" + }, + { + "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.", + "meta": { + "external_id": "APP-22", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1629/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html" + ] + }, + "related": [ + { + "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", + "type": "subtechnique-of" + } + ], + "uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "value": "Prevent Application Removal - T1629.001" + }, { "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)", "meta": { @@ -8997,6 +9796,32 @@ "uuid": "2339cf19-8f1e-48f7-8a91-0262ba547b6f", "value": "Identify Business Tempo - T1591.003" }, + { + "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.", + "meta": { + "external_id": "T1637.001", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1637/001", + "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + ] + }, + "related": [ + { + "dest-uuid": "2ccc3d39-9598-4d32-9657-42e1c7095d26", + "type": "subtechnique-of" + } + ], + "uuid": "fd211238-f767-4599-8c0d-9dca36624626", + "value": "Domain Generation Algorithms - T1637.001" + }, { "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)", "meta": { @@ -10690,6 +11515,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html" ] }, + "related": [ + { + "dest-uuid": "a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "b332a960-3c04-495a-827f-f17a5daed3a6", "value": "Disguise Root/Jailbreak Indicators - T1408" }, @@ -10950,6 +11784,15 @@ "https://www.apple.com/business/docs/iOS_Security_Guide.pdf" ] }, + "related": [ + { + "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "value": "Modify System Partition - T1400" }, @@ -11240,6 +12083,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html" ] }, + "related": [ + { + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", "value": "Device Administrator Permissions - T1401" }, @@ -11575,6 +12427,15 @@ "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" ] }, + "related": [ + { + "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "60623164-ccd8-4508-a141-b5a34820b3de", "value": "Domain Generation Algorithms - T1520" }, @@ -11837,25 +12698,6 @@ "uuid": "18bfa01c-9fa9-409f-91f5-4a2822609d81", "value": "Test physical access - T1360" }, - { - "description": "A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.", - "meta": { - "external_id": "APP-26", - "kill_chain": [ - "mitre-mobile-attack:privilege-escalation" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1404", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html" - ] - }, - "uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "value": "Exploit OS Vulnerability - T1404" - }, { "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).", "meta": { @@ -11879,6 +12721,23 @@ "uuid": "ef771e03-e080-43b4-a619-ac6f84899884", "value": "Exploit TEE Vulnerability - T1405" }, + { + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ", + "meta": { + "external_id": "T1640", + "kill_chain": [ + "mitre-mobile-attack:impact" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1640" + ] + }, + "uuid": "e2c2249a-eb82-4614-8dd4-9c514dde65e2", + "value": "Account Access Removal - T1640" + }, { "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)", "meta": { @@ -11953,6 +12812,26 @@ "uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "value": "Windows Management Instrumentation - T1047" }, + { + "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ", + "meta": { + "external_id": "AUT-0", + "kill_chain": [ + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1409", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html", + "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + ] + }, + "uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "value": "Stored Application Data - T1409" + }, { "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no", "meta": { @@ -12108,6 +12987,15 @@ "https://attack.mitre.org/techniques/T1507" ] }, + "related": [ + { + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "e4c347e9-fb91-4bc5-83b8-391e389131e2", "value": "Network Information Discovery - T1507" }, @@ -12186,6 +13074,15 @@ "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" ] }, + "related": [ + { + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", "value": "Suppress Application Icon - T1508" }, @@ -12226,24 +13123,6 @@ "uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", "value": "Cloud Infrastructure Discovery - T1580" }, - { - "description": "Adversaries may use non-standard ports to exfiltrate information.", - "meta": { - "external_id": "T1509", - "kill_chain": [ - "mitre-mobile-attack:command-and-control" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1509" - ] - }, - "uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", - "value": "Uncommonly Used Port - T1509" - }, { "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)", "meta": { @@ -12590,6 +13469,15 @@ "https://attack.mitre.org/techniques/T1412" ] }, + "related": [ + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "value": "Capture SMS Messages - T1412" }, @@ -12661,24 +13549,6 @@ "uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877", "value": "Determine strategic target - T1241" }, - { - "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.", - "meta": { - "external_id": "T1521", - "kill_chain": [ - "mitre-mobile-attack:command-and-control" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1521" - ] - }, - "uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", - "value": "Standard Cryptographic Protocol - T1521" - }, { "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.\n\nBrowser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.", "meta": { @@ -12975,29 +13845,6 @@ "uuid": "9d234df0-2344-4db4-bc0f-8de9c6c071a7", "value": "Obfuscate operational infrastructure - T1318" }, - { - "description": "Adversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device.(Citation: Fahl-Clipboard)\n\nOn Android, ClipboardManager.OnPrimaryClipChangedListener can be used by applications to register as a listener and monitor the clipboard for changes.(Citation: Github Capture Clipboard 2019)\n\nAndroid 10 mitigates this technique by preventing applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).(Citation: Android 10 Privacy Changes)", - "meta": { - "external_id": "APP-35", - "kill_chain": [ - "mitre-mobile-attack:collection", - "mitre-mobile-attack:credential-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "http://saschafahl.de/static/paper/pwmanagers2013.pdf", - "https://attack.mitre.org/techniques/T1414", - "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data", - "https://github.com/grepx/android-clipboard-security", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html" - ] - }, - "uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", - "value": "Capture Clipboard Data - T1414" - }, { "description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap)\n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)", "meta": { @@ -13028,6 +13875,12 @@ "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).", "meta": { "external_id": "AUT-10", + "kill_chain": [ + "mitre-mobile-attack:credential-access" + ], + "mitre_platforms": [ + "iOS" + ], "refs": [ "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html", "https://attack.mitre.org/techniques/T1415", @@ -13132,6 +13985,12 @@ "description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.", "meta": { "external_id": "T1419", + "kill_chain": [ + "mitre-mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android" + ], "refs": [ "https://attack.mitre.org/techniques/T1419", "https://developer.android.com/reference/android/os/Build" @@ -13563,6 +14422,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" ] }, + "related": [ + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "value": "Access Contact List - T1432" }, @@ -13584,6 +14452,24 @@ "uuid": "2de38279-043e-47e8-aaad-1b07af6d0790", "value": "Network Service Scanning - T1423" }, + { + "description": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm. ", + "meta": { + "external_id": "T1532", + "kill_chain": [ + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1532" + ] + }, + "uuid": "e3b936a4-6321-4172-9114-038a866362ec", + "value": "Archive Collected Data - T1532" + }, { "description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n", "meta": { @@ -13606,6 +14492,15 @@ "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" ] }, + "related": [ + { + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", "value": "Evade Analysis Environment - T1523" }, @@ -13639,6 +14534,25 @@ "uuid": "248cbfdd-fec4-451b-b2a9-e46d4b268e30", "value": "Fast Flux DNS - T1325" }, + { + "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ", + "meta": { + "external_id": "STA-7", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1632", + "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html" + ] + }, + "uuid": "79cb02f4-ac4e-4335-8b51-425c9573cce1", + "value": "Subvert Trust Controls - T1632" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1326).\n\nDomain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)", "meta": { @@ -13713,15 +14627,7 @@ "https://attack.mitre.org/techniques/T1442" ] }, - "related": [ - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9", "value": "Fake Developer Accounts - T1442" }, @@ -13740,9 +14646,9 @@ "value": "Conduct active scanning - T1254" }, { - "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class.(Citation: Android-Build)\n\nOn iOS, techniques exist for applications to programmatically access this information.(Citation: StackOverflow-iOSVersion)", + "description": "Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ", "meta": { - "external_id": "T1426", + "external_id": "APP-12", "kill_chain": [ "mitre-mobile-attack:discovery" ], @@ -13751,14 +14657,31 @@ "iOS" ], "refs": [ - "http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on", "https://attack.mitre.org/techniques/T1426", - "https://developer.android.com/reference/android/os/Build" + "https://developer.android.com/reference/android/os/Build", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html" ] }, "uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "value": "System Information Discovery - T1426" }, + { + "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ", + "meta": { + "external_id": "T1624", + "kill_chain": [ + "mitre-mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1624" + ] + }, + "uuid": "d446b9f0-06a9-4a8d-97ee-298cfee84f14", + "value": "Event Triggered Execution - T1624" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1246).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)", "meta": { @@ -13817,25 +14740,6 @@ "uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "value": "Domain Trust Discovery - T1482" }, - { - "description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).", - "meta": { - "external_id": "APP-32", - "kill_chain": [ - "mitre-mobile-attack:lateral-movement" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1428", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html" - ] - }, - "uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", - "value": "Exploit Enterprise Resources - T1428" - }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1249).\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", "meta": { @@ -13950,6 +14854,24 @@ "uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", "value": "Cloud Service Discovery - T1526" }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.", + "meta": { + "external_id": "APP-27", + "kill_chain": [ + "mitre-mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1625", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html" + ] + }, + "uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd", + "value": "Hijack Execution Flow - T1625" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1265).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", "meta": { @@ -14160,6 +15082,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" ] }, + "related": [ + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", "value": "Access Call Log - T1433" }, @@ -14185,15 +15116,7 @@ "https://attack.mitre.org/techniques/T1443" ] }, - "related": [ - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "831e3269-da49-48ac-94dc-948008e8fd16", "value": "Remotely Install Application - T1443" }, @@ -14236,6 +15159,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" ] }, + "related": [ + { + "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "62adb627-f647-498e-b4cc-41499361bacb", "value": "Access Calendar Entries - T1435" }, @@ -14270,6 +15202,15 @@ "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html" ] }, + "related": [ + { + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", "value": "Manipulate Device Communication - T1463" }, @@ -14292,6 +15233,25 @@ "uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad", "value": "Commonly Used Port - T1436" }, + { + "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.", + "meta": { + "external_id": "APP-29", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1437", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html" + ] + }, + "uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "value": "Application Layer Protocol - T1437" + }, { "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", "meta": { @@ -14330,26 +15290,6 @@ "uuid": "54456690-84de-4538-9101-643e26437e09", "value": "Domain Generation Algorithms - T1483" }, - { - "description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.", - "meta": { - "external_id": "APP-30", - "kill_chain": [ - "mitre-mobile-attack:command-and-control", - "mitre-mobile-attack:exfiltration" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1438", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html" - ] - }, - "uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "value": "Alternate Network Mediums - T1438" - }, { "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. \n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", "meta": { @@ -14480,6 +15420,25 @@ "uuid": "e49920b0-6c54-40c1-9571-73723653205f", "value": "Cloud Service Dashboard - T1538" }, + { + "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user’s knowledge or approval. ", + "meta": { + "external_id": "APP-13", + "kill_chain": [ + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1636", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + ] + }, + "uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "value": "Protected User Data - T1636" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1379).\n\nRemovable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)", "meta": { @@ -14509,7 +15468,7 @@ "value": "Spearphishing for Information - T1397" }, { - "description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or onto the victim’s device.", + "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.", "meta": { "external_id": "T1544", "kill_chain": [ @@ -14524,12 +15483,18 @@ ] }, "uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", - "value": "Remote File Copy - T1544" + "value": "Ingress Tool Transfer - T1544" }, { - "description": "An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in (Citation: Forbes-iPhoneSMS).\n\nAn SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.\n\nAs described by SRLabs in (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.\n\nPlatforms: Android, iOS", + "description": "Test", "meta": { "external_id": "T1454", + "kill_chain": [ + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "Android" + ], "refs": [ "https://attack.mitre.org/techniques/T1454" ] @@ -14539,9 +15504,9 @@ "value": "Malicious SMS Message - T1454" }, { - "description": "As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nThird-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement).", + "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)", "meta": { - "external_id": "APP-6", + "external_id": "SPC-21", "kill_chain": [ "mitre-mobile-attack:initial-access" ], @@ -14552,6 +15517,28 @@ "refs": [ "https://attack.mitre.org/techniques/T1474", "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", "https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf", "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" ] @@ -14575,6 +15562,15 @@ "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html" ] }, + "related": [ + { + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "8e27551a-5080-4148-a584-c64348212e4f", "value": "Delete Device Data - T1447" }, @@ -14594,6 +15590,15 @@ "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf" ] }, + "related": [ + { + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "value": "Carrier Billing Fraud - T1448" }, @@ -14669,15 +15674,7 @@ "https://attack.mitre.org/techniques/T1455" ] }, - "related": [ - { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "c91c304a-975d-4501-9789-0db1c57afd3f", "value": "Exploit Baseband Vulnerability - T1455" }, @@ -14906,6 +15903,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html" ] }, + "related": [ + { + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "8c7862ff-3449-4ac6-b0fd-ac1298a822a5", "value": "Uninstall Malicious Application - T1576" }, @@ -15255,6 +16261,30 @@ "uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", "value": "SID-History Injection - T1134.005" }, + { + "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", + "meta": { + "external_id": "T1481.003", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1481/003" + ] + }, + "related": [ + { + "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "type": "subtechnique-of" + } + ], + "uuid": "d916f176-a1ca-4a78-9fdd-4058bc28162e", + "value": "One-Way Communication - T1481.003" + }, { "description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\n\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)", "meta": { @@ -15433,9 +16463,36 @@ "https://attack.mitre.org/techniques/T1605" ] }, + "related": [ + { + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "e083305c-49e7-4c87-aae8-9689213bffbe", "value": "Command-Line Interface - T1605" }, + { + "description": "Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", + "meta": { + "external_id": "T1509", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1509" + ] + }, + "uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", + "value": "Non-Standard Port - T1509" + }, { "description": "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. \n\nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).", "meta": { @@ -15611,7 +16668,7 @@ "value": "Pre-OS Boot - T1542" }, { - "description": "As described by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\n(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)", + "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.", "meta": { "external_id": "CEL-22", "kill_chain": [ @@ -15623,12 +16680,12 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1456", - "https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/", + "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html" ] }, "uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", - "value": "Drive-by Compromise - T1456" + "value": "Drive-By Compromise - T1456" }, { "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)", @@ -16682,6 +17739,30 @@ "uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec", "value": "Malicious Image - T1204.003" }, + { + "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", + "meta": { + "external_id": "T1630.002", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1630/002", + "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html" + ] + }, + "related": [ + { + "dest-uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "type": "subtechnique-of" + } + ], + "uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", + "value": "File Deletion - T1630.002" + }, { "description": "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev) \n\nAdversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) ", "meta": { @@ -16716,6 +17797,30 @@ "uuid": "43ba2b05-cf72-4b6c-8243-03a4aba41ee0", "value": "Login Hook - T1037.002" }, + { + "description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.", + "meta": { + "external_id": "T1406.002", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "iOS", + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1406/002" + ] + }, + "related": [ + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "type": "subtechnique-of" + } + ], + "uuid": "51636761-2e35-44bf-9e56-e337adf97174", + "value": "Software Packing - T1406.002" + }, { "description": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. \n\nAdversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. ", "meta": { @@ -17589,6 +18694,30 @@ "uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "value": "Standard Encoding - T1132.001" }, + { + "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.", + "meta": { + "external_id": "T1521.001", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1521/001" + ] + }, + "related": [ + { + "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "type": "subtechnique-of" + } + ], + "uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "value": "Symmetric Cryptography - T1521.001" + }, { "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", "meta": { @@ -17653,6 +18782,30 @@ "uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "value": "Internal Defacement - T1491.001" }, + { + "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).", + "meta": { + "external_id": "T1521.002", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1521/002" + ] + }, + "related": [ + { + "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "type": "subtechnique-of" + } + ], + "uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "value": "Asymmetric Cryptography - T1521.002" + }, { "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)", "meta": { @@ -17749,6 +18902,31 @@ "uuid": "7610cada-1499-41a4-b3dd-46467b68d177", "value": "Domain Account - T1136.002" }, + { + "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files. ", + "meta": { + "external_id": "T1623.001", + "kill_chain": [ + "mitre-mobile-attack:execution" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1623/001", + "https://partner.samsungknox.com/mtd" + ] + }, + "related": [ + { + "dest-uuid": "29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "type": "subtechnique-of" + } + ], + "uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "value": "Unix Shell - T1623.001" + }, { "description": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.", "meta": { @@ -17820,6 +18998,54 @@ "uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "value": "System Firmware - T1542.001" }, + { + "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ", + "meta": { + "external_id": "T1624.001", + "kill_chain": [ + "mitre-mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1624/001", + "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts" + ] + }, + "related": [ + { + "dest-uuid": "d446b9f0-06a9-4a8d-97ee-298cfee84f14", + "type": "subtechnique-of" + } + ], + "uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", + "value": "Broadcast Receivers - T1624.001" + }, + { + "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", + "meta": { + "external_id": "T1481.002", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1481/002" + ] + }, + "related": [ + { + "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "type": "subtechnique-of" + } + ], + "uuid": "939808a7-121d-467a-b028-4441ee8b7cee", + "value": "Bidirectional Communication - T1481.002" + }, { "description": "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)", "meta": { @@ -17983,6 +19209,30 @@ "uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", "value": "Cloud Account - T1136.003" }, + { + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ", + "meta": { + "external_id": "T1633.001", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1633/001" + ] + }, + "related": [ + { + "dest-uuid": "27d18e87-8f32-4be1-b456-39b90454360f", + "type": "subtechnique-of" + } + ], + "uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "value": "System Checks - T1633.001" + }, { "description": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\n\nOnce malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)", "meta": { @@ -18054,6 +19304,31 @@ "uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "value": "Launch Agent - T1543.001" }, + { + "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ", + "meta": { + "external_id": "APP-29", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1437/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html" + ] + }, + "related": [ + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "type": "subtechnique-of" + } + ], + "uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "value": "Web Protocols - T1437.001" + }, { "description": "Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)\n\nThe quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)\n\nApps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)", "meta": { @@ -18160,6 +19435,34 @@ "uuid": "4d2a5b3e-340d-4600-9123-309dd63c9bf8", "value": "SSH Hijacking - T1563.001" }, + { + "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ", + "meta": { + "external_id": "T1635.001", + "kill_chain": [ + "mitre-mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1635/001", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/", + "https://developer.android.com/training/app-links/index.html", + "https://tools.ietf.org/html/rfc7636", + "https://tools.ietf.org/html/rfc8252" + ] + }, + "related": [ + { + "dest-uuid": "233fe2c0-cb41-4765-b454-e0087597fbce", + "type": "subtechnique-of" + } + ], + "uuid": "789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "value": "URI Hijacking - T1635.001" + }, { "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.", "meta": { @@ -18246,6 +19549,31 @@ "uuid": "bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", "value": "Social Media - T1593.001" }, + { + "description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval. ", + "meta": { + "external_id": "APP-13", + "kill_chain": [ + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1636/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + ] + }, + "related": [ + { + "dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "type": "subtechnique-of" + } + ], + "uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "value": "Calendar Entries - T1636.001" + }, { "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. ", "meta": { @@ -18569,6 +19897,57 @@ "uuid": "791481f8-e96a-41be-b089-a088763083d4", "value": "Component Firmware - T1542.002" }, + { + "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", + "meta": { + "external_id": "T1628.002", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1628/002" + ] + }, + "related": [ + { + "dest-uuid": "fc53309d-ebd5-4573-9242-57024ebdad4f", + "type": "subtechnique-of" + } + ], + "uuid": "24a77e53-0751-46fc-b207-99378fb35c08", + "value": "User Evasion - T1628.002" + }, + { + "description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)", + "meta": { + "external_id": "APP-22", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1629/002", + "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" + ] + }, + "related": [ + { + "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", + "type": "subtechnique-of" + } + ], + "uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", + "value": "Device Lockout - T1629.002" + }, { "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", "meta": { @@ -18780,6 +20159,31 @@ "uuid": "6e561441-8431-4773-a9b8-ccf28ef6a968", "value": "Search Engines - T1593.002" }, + { + "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval. ", + "meta": { + "external_id": "APP-13", + "kill_chain": [ + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1636/002", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + ] + }, + "related": [ + { + "dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "type": "subtechnique-of" + } + ], + "uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "value": "Call Log - T1636.002" + }, { "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)", "meta": { @@ -19395,6 +20799,31 @@ "uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "value": "Windows Service - T1543.003" }, + { + "description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval. ", + "meta": { + "external_id": "APP-13", + "kill_chain": [ + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "iOS", + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1636/003", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + ] + }, + "related": [ + { + "dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "type": "subtechnique-of" + } + ], + "uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "value": "Contact List - T1636.003" + }, { "description": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\n\nAdversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\n\nAdditionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)", "meta": { @@ -19504,6 +20933,31 @@ "uuid": "61afc315-860c-4364-825d-0d62b2e91edc", "value": "Time Providers - T1547.003" }, + { + "description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval. ", + "meta": { + "external_id": "APP-13", + "kill_chain": [ + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1636/004", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + ] + }, + "related": [ + { + "dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "type": "subtechnique-of" + } + ], + "uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "value": "SMS Messages - T1636.004" + }, { "description": "Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nDHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.(Citation: rfc2131) The typical server-client interaction is as follows: \n\n1. The client broadcasts a `DISCOVER` message.\n\n2. The server responds with an `OFFER` message, which includes an available network address. \n\n3. The client broadcasts a `REQUEST` message, which includes the network address offered. \n\n4. The server acknowledges with an `ACK` message and the client receives the network configuration parameters.\n\nAdversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.(Citation: new_rogue_DHCP_serv_malware)(Citation: w32.tidserv.g) Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.\n\nRather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e. [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)) by generating many broadcast DISCOVER messages to exhaust a network’s DHCP allocation pool. ", "meta": { @@ -20538,6 +21992,24 @@ "uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "value": "System Shutdown/Reboot - T1529" }, + { + "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ", + "meta": { + "external_id": "T1633", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1633" + ] + }, + "uuid": "27d18e87-8f32-4be1-b456-39b90454360f", + "value": "Virtualization/Sandbox Evasion - T1633" + }, { "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n", "meta": { @@ -21079,6 +22551,15 @@ "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/" ] }, + "related": [ + { + "dest-uuid": "74e6003f-c7f4-4047-983b-708cc19b96b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "e399430e-30b7-48c5-b70a-f44dc8c175cb", "value": "Clipboard Modification - T1510" }, @@ -21466,6 +22947,15 @@ "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts" ] }, + "related": [ + { + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", "value": "Broadcast Receivers - T1402" }, @@ -21699,7 +23189,7 @@ "value": "Path Interception - T1034" }, { - "description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.", + "description": "Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device’s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application’s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)", "meta": { "external_id": "APP-24", "kill_chain": [ @@ -21712,7 +23202,12 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1430", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html" + "https://developer.android.com/training/location/permissions", + "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services", + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" ] }, "uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", @@ -21859,6 +23354,15 @@ "https://shunix.com/shared-library-injection-in-android/" ] }, + "related": [ + { + "dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "039bc59c-ecc7-4997-b2b4-4ab728bd91aa", "value": "Code Injection - T1540" }, @@ -22418,6 +23922,15 @@ "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/" ] }, + "related": [ + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "value": "Input Prompt - T1411" }, @@ -22645,7 +24158,25 @@ "value": "Data Encoding - T1132" }, { - "description": "Adversaries may utilize the camera to capture information about the user, their surroundings, or other physical identifiers. Adversaries may use the physical camera devices on a mobile device to capture images or video. By default, in Android and iOS, an application must request permission to access a camera device which is granted by the user through a request prompt. In Android, applications must hold the `android.permission.CAMERA` permission to access the camera. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file, and must request access to the camera at runtime.", + "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.", + "meta": { + "external_id": "T1521", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1521" + ] + }, + "uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "value": "Encrypted Channel - T1521" + }, + { + "description": "An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device’s cameras for video recording rather than capturing the victim’s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user. ", "meta": { "external_id": "APP-19", "kill_chain": [ @@ -22661,7 +24192,7 @@ ] }, "uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", - "value": "Capture Camera - T1512" + "value": "Video Capture - T1512" }, { "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.\n\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)", @@ -22884,7 +24415,7 @@ "value": "Hidden Window - T1143" }, { - "description": "Adversaries may use screen captures to collect information about applications running in the foreground, capture user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015)", + "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ", "meta": { "external_id": "APP-40", "kill_chain": [ @@ -22935,6 +24466,25 @@ "uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "value": "Create Account - T1136" }, + { + "description": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.", + "meta": { + "external_id": "T1631", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion", + "mitre-mobile-attack:privilege-escalation" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1631" + ] + }, + "uuid": "b7c0e45f-0206-4f75-96e7-fe7edad3aaff", + "value": "Process Injection - T1631" + }, { "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.", "meta": { @@ -23065,12 +24615,36 @@ "uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", "value": "Gatekeeper Bypass - T1144" }, + { + "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.(Citation: UIPPasteboard)", + "meta": { + "external_id": "APP-35", + "kill_chain": [ + "mitre-mobile-attack:collection", + "mitre-mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "http://saschafahl.de/static/paper/pwmanagers2013.pdf", + "https://attack.mitre.org/techniques/T1414", + "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data", + "https://developer.apple.com/documentation/uikit/uipasteboard", + "https://github.com/grepx/android-clipboard-security", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html" + ] + }, + "uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "value": "Clipboard Data - T1414" + }, { "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android’s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)", "meta": { "external_id": "APP-19", "kill_chain": [ - "mitre-mobile-attack:collection", + "mitre-mobile-attack:defense-evasion", "mitre-mobile-attack:persistence" ], "mitre_platforms": [ @@ -23120,7 +24694,7 @@ "value": "Private Keys - T1145" }, { - "description": "An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.\n\n### Biometric Spoofing\nIf biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews-Spoof)(Citation: TheSun-FaceID).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID). Android has similar mitigations.\n\n### Device Unlock Code Guessing or Brute Force\nAn adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\"shoulder surfing\") the device owner's use of the lockscreen passcode. \n\n### Exploit Other Device Lockscreen Vulnerabilities\nTechniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.", + "description": "An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n", "meta": { "external_id": "T1461", "kill_chain": [ @@ -23133,8 +24707,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1461", "https://srlabs.de/bites/spoofing-fingerprints/", - "https://support.apple.com/en-us/HT204587", - "https://thehackernews.com/2016/05/android-kernal-exploit.htmlhttps://www.secureidnews.com/news-item/another-spoof-of-mobile-biometrics/", "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/", "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/", "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/" @@ -23143,6 +24715,23 @@ "uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "value": "Lockscreen Bypass - T1461" }, + { + "description": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.", + "meta": { + "external_id": "T1641", + "kill_chain": [ + "mitre-mobile-attack:impact" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1641" + ] + }, + "uuid": "c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", + "value": "Data Manipulation - T1641" + }, { "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)", "meta": { @@ -23160,13 +24749,22 @@ "https://tools.ietf.org/html/rfc7636" ] }, + "related": [ + { + "dest-uuid": "789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58", "value": "URI Hijacking - T1416" }, { - "description": "Adversaries may capture user input to obtain credentials or other information from the user through various methods.\n\nMalware may masquerade as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n\nOn Android, malware may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed.\n\nAdditional methods of keylogging may be possible if root access is available.", + "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).", "meta": { - "external_id": "T1417", + "external_id": "AUT-13", "kill_chain": [ "mitre-mobile-attack:collection", "mitre-mobile-attack:credential-access" @@ -23177,7 +24775,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1417", - "https://zeltser.com/third-party-keyboards-security/" + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html" ] }, "uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", @@ -23211,11 +24810,10 @@ "value": "Hidden Users - T1147" }, { - "description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device. (Citation: Kurtz-MaliciousiOSApps) However, use of private API calls will likely prevent the application from being distributed through Apple's App Store.", + "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ", "meta": { - "external_id": "T1418", + "external_id": "APP-12", "kill_chain": [ - "mitre-mobile-attack:defense-evasion", "mitre-mobile-attack:discovery" ], "mitre_platforms": [ @@ -23223,13 +24821,12 @@ "iOS" ], "refs": [ - "https://andreas-kurtz.de/2014/09/malicious-ios-apps/", "https://attack.mitre.org/techniques/T1418", - "https://developer.android.com/reference/android/content/pm/PackageManager.html" + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html" ] }, "uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", - "value": "Application Discovery - T1418" + "value": "Software Discovery - T1418" }, { "description": "Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\n\nIn order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial. (Citation: Slideshare Abusing SSH) (Citation: SSHjack Blackhat) (Citation: Clockwork SSH Agent Hijacking) Compromising the SSH agent also provides access to intercept SSH credentials. (Citation: Welivesecurity Ebury SSH)\n\n[SSH Hijacking](https://attack.mitre.org/techniques/T1184) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it injects into an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).", @@ -23263,7 +24860,7 @@ "value": "SSH Hijacking - T1184" }, { - "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.\n\nThese commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ", "meta": { "external_id": "T1481", "kill_chain": [ @@ -23378,7 +24975,7 @@ "value": "Startup Items - T1165" }, { - "description": "A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass)", + "description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ", "meta": { "external_id": "T1517", "kill_chain": [ @@ -23627,6 +25224,15 @@ "https://attack.mitre.org/techniques/T1618" ] }, + "related": [ + { + "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", "value": "User Evasion - T1618" }, @@ -23798,24 +25404,6 @@ "uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "value": "Debugger Evasion - T1622" }, - { - "description": "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip.", - "meta": { - "external_id": "T1532", - "kill_chain": [ - "mitre-mobile-attack:exfiltration" - ], - "mitre_platforms": [ - "Android", - "iOS" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1532" - ] - }, - "uuid": "e3b936a4-6321-4172-9114-038a866362ec", - "value": "Data Encrypted - T1532" - }, { "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nDNS (cache) poisoning is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. (Citation: Google DNS Poisoning) (Citation: DNS Poisoning China) (Citation: Mexico Modem DNS Poison)", "meta": { @@ -23831,14 +25419,15 @@ "value": "DNS poisoning - T1382" }, { - "description": "On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).", + "description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ", "meta": { "external_id": "T1424", "kill_chain": [ "mitre-mobile-attack:discovery" ], "mitre_platforms": [ - "Android" + "Android", + "iOS" ], "refs": [ "https://attack.mitre.org/techniques/T1424", @@ -23849,7 +25438,7 @@ "value": "Process Discovery - T1424" }, { - "description": "Adversaries may capture audio to collect information on a user of a mobile device using standard operating system APIs. Adversaries may target audio information such as user conversations, surroundings, phone calls, or other sensitive information.\n\nAndroid and iOS, by default, requires that an application request access to microphone devices from the user. In Android, applications must hold the android.permission.RECORD_AUDIO permission to access the microphone and the android.permission.CAPTURE_AUDIO_OUTPUT permission to access audio output such as speakers. Android does not allow third-party applications to hold android.permission.CAPTURE_AUDIO_OUTPUT, so audio output can only be obtained by privileged applications (distributed by Google or the device vendor) or after a successful privilege escalation attack. In iOS, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file.", + "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user. \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)", "meta": { "external_id": "APP-19", "kill_chain": [ @@ -23861,11 +25450,16 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1429", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html" + "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/", + "https://developer.android.com/reference/android/Manifest.permission", + "https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL", + "https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", + "https://source.android.com/devices/tech/config/privacy-indicators" ] }, "uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "value": "Capture Audio - T1429" + "value": "Audio Capture - T1429" }, { "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).", @@ -23984,6 +25578,42 @@ "uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "value": "SMS Control - T1582" }, + { + "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", + "meta": { + "external_id": "T1627", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1627", + "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + ] + }, + "uuid": "498e7b81-238d-404c-aa5e-332904d63286", + "value": "Execution Guardrails - T1627" + }, + { + "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.", + "meta": { + "external_id": "T1628", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1628" + ] + }, + "uuid": "fc53309d-ebd5-4573-9242-57024ebdad4f", + "value": "Hide Artifacts - T1628" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1286).\n\nDumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)", "meta": { @@ -23998,6 +25628,25 @@ "uuid": "6c79d654-6506-4f33-b48f-c80babdcc52d", "value": "Dumpster dive - T1286" }, + { + "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.", + "meta": { + "external_id": "APP-22", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1629", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "https://partner.samsungknox.com/mtd" + ] + }, + "uuid": "20b0931a-8952-42ca-975f-775bad295f1a", + "value": "Impair Defenses - T1629" + }, { "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1333).\n\nDynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)", "meta": { @@ -24131,6 +25780,25 @@ "uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2", "value": "Acquire Infrastructure - T1583" }, + { + "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.", + "meta": { + "external_id": "T1637", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1637", + "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" + ] + }, + "uuid": "2ccc3d39-9598-4d32-9657-42e1c7095d26", + "value": "Dynamic Resolution - T1637" + }, { "description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", "meta": { @@ -24150,6 +25818,15 @@ "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html" ] }, + "related": [ + { + "dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", "value": "Device Lockout - T1446" }, @@ -24401,7 +26078,7 @@ ] }, "uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", - "value": "Native Code - T1575" + "value": "Native API - T1575" }, { "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)", @@ -24583,6 +26260,29 @@ "uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", "value": "Obtain Capabilities - T1588" }, + { + "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. \n\n \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture. ", + "meta": { + "external_id": "ECO-12", + "kill_chain": [ + "mitre-mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1638", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html" + ] + }, + "uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "value": "Adversary-in-the-Middle - T1638" + }, { "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "meta": { @@ -24885,6 +26585,29 @@ "uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "value": "VNC - T1021.005" }, + { + "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.", + "meta": { + "external_id": "T1406.001", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1406/001" + ] + }, + "related": [ + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "type": "subtechnique-of" + } + ], + "uuid": "fa801609-ca8e-415e-815e-65f3826ff4df", + "value": "Steganography - T1406.001" + }, { "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) ", "meta": { @@ -25369,6 +27092,33 @@ "uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", "value": "MSBuild - T1127.001" }, + { + "description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n", + "meta": { + "external_id": "AUT-13", + "kill_chain": [ + "mitre-mobile-attack:collection", + "mitre-mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1417/001", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html", + "https://zeltser.com/third-party-keyboards-security/" + ] + }, + "related": [ + { + "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "type": "subtechnique-of" + } + ], + "uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "value": "Keylogging - T1417.001" + }, { "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n", "meta": { @@ -25526,6 +27276,31 @@ "uuid": "24286c33-d4a4-4419-85c2-1d094a896c26", "value": "Hardware - T1592.001" }, + { + "description": "Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1627/001) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection. \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground. \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.", + "meta": { + "external_id": "T1627.001", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1627/001", + "https://blog.lookout.com/esurv-research" + ] + }, + "related": [ + { + "dest-uuid": "498e7b81-238d-404c-aa5e-332904d63286", + "type": "subtechnique-of" + } + ], + "uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", + "value": "Geofencing - T1627.001" + }, { "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)", "meta": { @@ -25591,6 +27366,32 @@ "uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "value": "Odbcconf - T1218.008" }, + { + "description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ", + "meta": { + "external_id": "AUT-11", + "kill_chain": [ + "mitre-mobile-attack:credential-access" + ], + "mitre_platforms": [ + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1634/001", + "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/", + "https://developer.apple.com/documentation/security/keychain_services", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html" + ] + }, + "related": [ + { + "dest-uuid": "cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "type": "subtechnique-of" + } + ], + "uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "value": "Keychain - T1634.001" + }, { "description": "Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", "meta": { @@ -27273,6 +29074,15 @@ "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services" ] }, + "related": [ + { + "dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "8197f026-64da-4700-93b9-b55ba55f3b31", "value": "Geofencing - T1581" }, @@ -27457,9 +29267,18 @@ "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html" ] }, + "related": [ + { + "dest-uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "27f483c6-6666-44fa-8532-ffd5fc7dab38", "value": "Keychain - T1579" } ], - "version": 20 + "version": 21 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index a5d7667..fc7cb43 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -887,21 +887,56 @@ }, "related": [ { - "dest-uuid": "27f483c6-6666-44fa-8532-ffd5fc7dab38", + "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", + "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -913,13 +948,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" - }, - { - "dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433", @@ -1004,22 +1032,7 @@ "https://attack.mitre.org/mitigations/M1007" ] }, - "related": [ - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", "value": "Caution with Device Administrator Access - M1007" }, @@ -2847,6 +2860,27 @@ ] }, "related": [ + { + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "tags": [ @@ -2854,6 +2888,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", "tags": [ @@ -2862,42 +2903,28 @@ "type": "mitigates" }, { - "dest-uuid": "27f483c6-6666-44fa-8532-ffd5fc7dab38", + "dest-uuid": "233fe2c0-cb41-4765-b454-e0087597fbce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "dest-uuid": "498e7b81-238d-404c-aa5e-332904d63286", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2932,63 +2959,49 @@ "type": "mitigates" }, { - "dest-uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58", + "dest-uuid": "74e6003f-c7f4-4047-983b-708cc19b96b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "8197f026-64da-4700-93b9-b55ba55f3b31", + "dest-uuid": "79cb02f4-ac4e-4335-8b51-425c9573cce1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3002,7 +3015,7 @@ "type": "mitigates" }, { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3022,6 +3035,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "d446b9f0-06a9-4a8d-97ee-298cfee84f14", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ @@ -3037,35 +3057,35 @@ "type": "mitigates" }, { - "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "e399430e-30b7-48c5-b70a-f44dc8c175cb", + "dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4963,7 +4983,49 @@ }, "related": [ { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5081,49 +5143,7 @@ }, "related": [ { - "dest-uuid": "393e8c12-a416-4575-ba90-19cc85656796", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "f58cd69a-e548-478b-9248-8a9af881dc34", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5210,7 +5230,21 @@ }, "related": [ { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "dest-uuid": "08ea902d-ecb5-47ed-a453-2798057bb2d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "233fe2c0-cb41-4765-b454-e0087597fbce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5231,7 +5265,14 @@ "type": "mitigates" }, { - "dest-uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58", + "dest-uuid": "7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11279,21 +11320,35 @@ }, "related": [ { - "dest-uuid": "27f483c6-6666-44fa-8532-ffd5fc7dab38", + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "dest-uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11307,14 +11362,14 @@ "type": "mitigates" }, { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11328,42 +11383,28 @@ "type": "mitigates" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", + "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "8c7862ff-3449-4ac6-b0fd-ac1298a822a5", + "dest-uuid": "c08366bb-8d11-4921-853f-f0a3b6a2a1da", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "b332a960-3c04-495a-827f-f17a5daed3a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11383,27 +11424,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "f1c3d071-0c24-483d-aca0-e8b8496ce468", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "tags": [ @@ -11432,14 +11452,14 @@ "type": "mitigates" }, { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11785,365 +11805,7 @@ "https://attack.mitre.org/mitigations/M1005" ] }, - "related": [ - { - "dest-uuid": "039bc59c-ecc7-4997-b2b4-4ab728bd91aa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "27f483c6-6666-44fa-8532-ffd5fc7dab38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8197f026-64da-4700-93b9-b55ba55f3b31", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8c7862ff-3449-4ac6-b0fd-ac1298a822a5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e399430e-30b7-48c5-b70a-f44dc8c175cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", "value": "Application Vetting - M1005" }, @@ -12261,7 +11923,63 @@ }, "related": [ { - "dest-uuid": "0c71033e-401e-4b97-9309-7a7c95e43a5d", + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "233fe2c0-cb41-4765-b454-e0087597fbce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12275,14 +11993,14 @@ "type": "mitigates" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "537ea573-8a1c-468c-956b-d16d2ed9d067", + "dest-uuid": "498e7b81-238d-404c-aa5e-332904d63286", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12303,7 +12021,7 @@ "type": "mitigates" }, { - "dest-uuid": "6f86d346-f092-4abc-80df-8558a90c426a", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12317,42 +12035,35 @@ "type": "mitigates" }, { - "dest-uuid": "8197f026-64da-4700-93b9-b55ba55f3b31", + "dest-uuid": "789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "79cb02f4-ac4e-4335-8b51-425c9573cce1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "8c7862ff-3449-4ac6-b0fd-ac1298a822a5", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a64a820a-cb21-471f-920c-506a2ff04fa5", + "dest-uuid": "9ef05e3d-52db-4c12-be4f-519214bbe91f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12366,7 +12077,28 @@ "type": "mitigates" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12380,7 +12112,7 @@ "type": "mitigates" }, { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12394,7 +12126,56 @@ "type": "mitigates" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e2c2249a-eb82-4614-8dd4-9c514dde65e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12413,6 +12194,13 @@ ] }, "related": [ + { + "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", "tags": [ @@ -12420,6 +12208,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "tags": [ @@ -12428,21 +12223,7 @@ "type": "mitigates" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12462,6 +12243,27 @@ ], "type": "mitigates" }, + { + "dest-uuid": "79cb02f4-ac4e-4335-8b51-425c9573cce1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9ef05e3d-52db-4c12-be4f-519214bbe91f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", "tags": [ @@ -12469,6 +12271,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "tags": [ @@ -12476,12 +12285,26 @@ ], "type": "mitigates" }, + { + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -12498,14 +12321,14 @@ }, "related": [ { - "dest-uuid": "52651225-0b3a-482d-aa7e-10618fd063b5", + "dest-uuid": "0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15975,6 +15798,41 @@ ] }, "related": [ + { + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", "tags": [ @@ -15983,7 +15841,42 @@ "type": "mitigates" }, { - "dest-uuid": "8c7862ff-3449-4ac6-b0fd-ac1298a822a5", + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15995,13 +15888,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" - }, - { - "dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", @@ -16567,5 +16453,5 @@ "value": "Audit - M1047" } ], - "version": 22 + "version": 23 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index f4ddeaf..8af8f8e 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -1331,6 +1331,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -1345,20 +1352,6 @@ ], "type": "uses" }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -1814,13 +1807,6 @@ ], "type": "similar" }, - { - "dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "tags": [ @@ -4869,13 +4855,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", "tags": [ @@ -5037,13 +5016,6 @@ ], "type": "uses" }, - { - "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ @@ -5216,13 +5188,6 @@ ], "type": "uses" }, - { - "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "tags": [ @@ -6392,20 +6357,6 @@ ] }, "related": [ - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "tags": [ @@ -9211,13 +9162,6 @@ ], "type": "uses" }, - { - "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "8b880b41-5139-4807-baa9-309690218719", "tags": [ @@ -9618,13 +9562,6 @@ ], "type": "uses" }, - { - "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -14099,13 +14036,6 @@ ] }, "related": [ - { - "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "271e6d40-e191-421a-8f87-a8102452c201", "tags": [ @@ -18315,13 +18245,6 @@ ], "type": "uses" }, - { - "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -20045,13 +19968,6 @@ ], "type": "uses" }, - { - "dest-uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ @@ -28340,20 +28256,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -28369,14 +28271,7 @@ "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8197f026-64da-4700-93b9-b55ba55f3b31", + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -28404,7 +28299,7 @@ "type": "uses" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -28425,14 +28320,21 @@ "type": "uses" }, { - "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -28466,13 +28368,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ @@ -28487,6 +28382,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -28508,6 +28410,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -28515,20 +28424,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "tags": [ @@ -28542,6 +28437,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "afec6dc3-a18e-4b62-b1a4-5510e1a498d1", @@ -30695,5 +30597,5 @@ "value": "TeamTNT - G0139" } ], - "version": 26 + "version": 27 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index e1ec9c9..69d7ed7 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -51,15 +51,9 @@ "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", "meta": { "external_id": "S0314", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0314", "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" - ], - "synonyms": [ - "X-Agent for Android" ] }, "related": [ @@ -90,13 +84,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "56660521-6db4-4e5a-a927-464f22954b7c", @@ -126,28 +113,21 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -160,20 +140,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", "tags": [ @@ -182,7 +148,14 @@ "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -196,7 +169,7 @@ "type": "uses" }, { - "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -210,7 +183,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -417,21 +390,7 @@ }, "related": [ { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -450,6 +409,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "29944858-da52-4d3d-b428-f8a6eb8dde6f", @@ -665,6 +631,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ @@ -673,7 +646,14 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -686,13 +666,6 @@ ], "type": "similar" }, - { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -707,13 +680,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8", "tags": [ @@ -722,21 +688,7 @@ "type": "similar" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -757,7 +709,14 @@ "type": "uses" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -784,13 +743,6 @@ ] }, "related": [ - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -799,21 +751,21 @@ "type": "uses" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -839,13 +791,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2740eaf6-2db2-4a40-a63f-f5b166c7059c", @@ -869,7 +814,7 @@ }, "related": [ { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -883,7 +828,7 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -910,13 +855,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -932,21 +870,21 @@ "type": "similar" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -960,7 +898,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1833,7 +1771,7 @@ }, "related": [ { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1854,7 +1792,14 @@ "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1866,13 +1811,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", @@ -1971,28 +1909,14 @@ "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2006,14 +1930,14 @@ "type": "uses" }, { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "fa801609-ca8e-415e-815e-65f3826ff4df", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2115,13 +2039,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -2144,14 +2061,14 @@ "type": "uses" }, { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2165,14 +2082,7 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2193,7 +2103,7 @@ "type": "uses" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2221,14 +2131,21 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3914,13 +3831,6 @@ ] }, "related": [ - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -3929,14 +3839,7 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3950,7 +3853,7 @@ "type": "uses" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3963,6 +3866,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "tags": [ @@ -3971,7 +3881,7 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3991,6 +3901,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -3999,7 +3916,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4034,6 +3951,27 @@ ] }, "related": [ + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "37047267-3e56-453c-833e-d92b68118120", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "tags": [ @@ -4041,13 +3979,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -4055,20 +3986,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -4083,6 +4000,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ @@ -4098,7 +4022,7 @@ "type": "uses" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4117,13 +4041,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "366c800f-97a8-48d5-b0a6-79d00198252a", @@ -4654,7 +4571,7 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4667,13 +4584,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ @@ -4688,6 +4598,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "tags": [ @@ -4710,7 +4627,7 @@ "type": "uses" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4736,13 +4653,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f3975cc0-72bc-4308-836e-ac701b83860e", @@ -5240,7 +5150,14 @@ "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5253,26 +5170,12 @@ ], "type": "uses" }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5a5dca4c-03c1-4b99-bfcf-c206e20aa663", @@ -5309,21 +5212,21 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5343,6 +5246,13 @@ ], "type": "uses" }, + { + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "tags": [ @@ -5350,20 +5260,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -5372,7 +5268,7 @@ "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5386,7 +5282,7 @@ "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5407,7 +5303,7 @@ "type": "uses" }, { - "dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5428,14 +5324,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5618,20 +5507,14 @@ "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { "external_id": "S0306", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0306", "https://securelist.com/mobile-malware-evolution-2013/58335/" - ], - "synonyms": [ - "Trojan-SMS.AndroidOS.FakeInst.a" ] }, "related": [ { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5645,20 +5528,14 @@ "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { "external_id": "S0307", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0307", "https://securelist.com/mobile-malware-evolution-2013/58335/" - ], - "synonyms": [ - "Trojan-SMS.AndroidOS.Agent.ao" ] }, "related": [ { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5672,20 +5549,14 @@ "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { "external_id": "S0308", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0308", "https://securelist.com/mobile-malware-evolution-2013/58335/" - ], - "synonyms": [ - "Trojan-SMS.AndroidOS.OpFake.a" ] }, "related": [ { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6260,28 +6131,14 @@ }, "related": [ { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6295,7 +6152,14 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6309,7 +6173,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6336,28 +6200,14 @@ }, "related": [ { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6398,28 +6248,28 @@ "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6432,13 +6282,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ @@ -6447,14 +6290,7 @@ "type": "uses" }, { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6515,7 +6351,7 @@ }, "related": [ { - "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7552,15 +7388,9 @@ "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)", "meta": { "external_id": "S0300", - "mitre_platforms": [ - "Android" - ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/", "https://attack.mitre.org/software/S0300" - ], - "synonyms": [ - "DressCode" ] }, "related": [ @@ -9502,7 +9332,7 @@ }, "related": [ { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9516,14 +9346,7 @@ "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9536,6 +9359,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "tags": [ @@ -9543,13 +9373,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -9557,13 +9380,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f", "tags": [ @@ -12410,13 +12226,20 @@ "refs": [ "https://attack.mitre.org/software/S0320", "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app", - "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-–-droidjack-rat" + "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" ], "synonyms": [ "DroidJack" ] }, "related": [ + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -12425,14 +12248,7 @@ "type": "uses" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12444,13 +12260,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", @@ -12790,14 +12599,7 @@ }, "related": [ { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "dest-uuid": "d916f176-a1ca-4a78-9fdd-4058bc28162e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12811,7 +12613,7 @@ "type": "uses" }, { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13236,6 +13038,13 @@ ] }, "related": [ + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ @@ -13251,14 +13060,7 @@ "type": "uses" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13272,14 +13074,14 @@ "type": "uses" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13933,14 +13735,7 @@ }, "related": [ { - "dest-uuid": "52651225-0b3a-482d-aa7e-10618fd063b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", + "dest-uuid": "0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15368,14 +15163,14 @@ "type": "uses" }, { - "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15389,34 +15184,21 @@ "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)", "meta": { "external_id": "S0303", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0303", "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" - ], - "synonyms": [ - "MazarBOT" ] }, "related": [ { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15799,28 +15581,21 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15841,14 +15616,14 @@ "type": "uses" }, { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17565,35 +17340,22 @@ "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)", "meta": { "external_id": "S0309", - "mitre_platforms": [ - "Android" - ], "refs": [ "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534", "https://attack.mitre.org/software/S0309", "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" - ], - "synonyms": [ - "Adups" ] }, "related": [ { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17607,7 +17369,14 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18191,7 +17960,7 @@ }, "related": [ { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18205,28 +17974,7 @@ "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18239,6 +17987,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ @@ -18253,6 +18008,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ @@ -18266,13 +18028,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a76b837b-93cc-417d-bf28-c47a6a284fa4", @@ -18510,6 +18265,20 @@ ], "type": "uses" }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ @@ -18517,20 +18286,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -18538,13 +18293,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ @@ -18566,13 +18314,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", "tags": [ @@ -18587,6 +18328,20 @@ ], "type": "uses" }, + { + "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ @@ -18602,7 +18357,14 @@ "type": "uses" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18621,20 +18383,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e4c347e9-fb91-4bc5-83b8-391e389131e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3049b2f2-e323-4cdb-91cb-13b37b904cbb", @@ -18967,49 +18715,42 @@ }, "related": [ { - "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19036,6 +18777,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -19051,14 +18799,14 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19310,6 +19058,13 @@ ] }, "related": [ + { + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -19317,6 +19072,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "tags": [ @@ -19332,21 +19094,7 @@ "type": "uses" }, { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19366,20 +19114,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -19388,28 +19122,21 @@ "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19443,6 +19170,20 @@ ], "type": "uses" }, + { + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -19450,6 +19191,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e2c2249a-eb82-4614-8dd4-9c514dde65e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ @@ -19458,7 +19206,7 @@ "type": "uses" }, { - "dest-uuid": "e4c347e9-fb91-4bc5-83b8-391e389131e2", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19604,6 +19352,13 @@ ] }, "related": [ + { + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -19612,28 +19367,21 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19647,14 +19395,7 @@ "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c7862ff-3449-4ac6-b0fd-ac1298a822a5", + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19675,14 +19416,7 @@ "type": "uses" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19696,7 +19430,7 @@ "type": "uses" }, { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19716,6 +19450,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ @@ -19724,14 +19465,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20212,6 +19946,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ @@ -20220,7 +19961,7 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20233,6 +19974,13 @@ ], "type": "uses" }, + { + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", "tags": [ @@ -20255,28 +20003,14 @@ "type": "uses" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20297,7 +20031,7 @@ "type": "uses" }, { - "dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20318,14 +20052,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20556,14 +20283,7 @@ }, "related": [ { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20583,13 +20303,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -20598,7 +20311,7 @@ "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20618,6 +20331,20 @@ ], "type": "uses" }, + { + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -20631,20 +20358,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e4c347e9-fb91-4bc5-83b8-391e389131e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f666e17c-b290-43b3-8947-b96bd5148fbb", @@ -21290,14 +21003,14 @@ }, "related": [ { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21310,13 +21023,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ @@ -21324,13 +21030,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8197f026-64da-4700-93b9-b55ba55f3b31", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -21339,7 +21038,7 @@ "type": "uses" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21360,7 +21059,7 @@ "type": "uses" }, { - "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21542,21 +21241,21 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21569,20 +21268,6 @@ ], "type": "uses" }, - { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "tags": [ @@ -21591,7 +21276,7 @@ "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21611,6 +21296,20 @@ ], "type": "uses" }, + { + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ @@ -21619,21 +21318,7 @@ "type": "uses" }, { - "dest-uuid": "e4c347e9-fb91-4bc5-83b8-391e389131e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -23869,26 +23554,12 @@ "description": "[YiSpecter](https://attack.mitre.org/software/S0311) iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. (Citation: PaloAlto-YiSpecter)", "meta": { "external_id": "S0311", - "mitre_platforms": [ - "iOS" - ], "refs": [ "https://attack.mitre.org/software/S0311", "https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" - ], - "synonyms": [ - "YiSpecter" ] }, - "related": [ - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - } - ], + "related": [], "uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", "value": "YiSpecter - S0311" }, @@ -23959,49 +23630,28 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "60623164-ccd8-4508-a141-b5a34820b3de", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -24015,7 +23665,14 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -24035,6 +23692,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ @@ -24043,21 +23707,21 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -25043,7 +24707,7 @@ }, "related": [ { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -25056,13 +24720,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -25264,20 +24921,14 @@ "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)", "meta": { "external_id": "S0321", - "mitre_platforms": [ - "Android" - ], "refs": [ "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/", "https://attack.mitre.org/software/S0321" - ], - "synonyms": [ - "HummingWhale" ] }, "related": [ { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -25291,15 +24942,10 @@ "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)", "meta": { "external_id": "S0312", - "mitre_platforms": [ - "iOS" - ], "refs": [ "https://attack.mitre.org/software/S0312", - "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" - ], - "synonyms": [ - "WireLurker" + "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ] }, "related": [ @@ -25624,14 +25270,21 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -25644,13 +25297,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "tags": [ @@ -25658,20 +25304,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -25680,7 +25312,7 @@ "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -25693,6 +25325,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ @@ -25707,6 +25346,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -25727,13 +25373,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c19cfc89-5ac6-4d2d-a236-70d2b32e007c", @@ -28262,6 +27901,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ @@ -28297,13 +27943,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -28339,13 +27978,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -28402,6 +28034,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ @@ -28423,13 +28062,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ @@ -28522,27 +28154,21 @@ "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)", "meta": { "external_id": "S0291", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0291", "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" - ], - "synonyms": [ - "PJApps" ] }, "related": [ { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -28563,27 +28189,21 @@ "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)", "meta": { "external_id": "S0313", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0313", "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" - ], - "synonyms": [ - "RuMMS" ] }, "related": [ { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -28602,13 +28222,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "936be60d-90eb-4c36-9247-4b31128432c4", @@ -29382,16 +28995,9 @@ "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)", "meta": { "external_id": "S0315", - "mitre_platforms": [ - "Android", - "iOS" - ], "refs": [ "https://attack.mitre.org/software/S0315", "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ], - "synonyms": [ - "DualToy" ] }, "related": [ @@ -30512,34 +30118,21 @@ "description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)", "meta": { "external_id": "S0317", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0317", "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" - ], - "synonyms": [ - "Marcher" ] }, "related": [ { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -30818,20 +30411,14 @@ "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", "meta": { "external_id": "S0319", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0319", "https://thehackernews.com/2016/05/android-kernal-exploit.html" - ], - "synonyms": [ - "Allwinner" ] }, "related": [ { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -32730,6 +32317,20 @@ ], "type": "uses" }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "tags": [ @@ -32738,7 +32339,7 @@ "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -32751,27 +32352,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -32780,7 +32360,14 @@ "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -32808,14 +32395,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -33137,42 +32717,21 @@ }, "related": [ { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -33622,7 +33181,21 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -33635,13 +33208,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ @@ -33663,13 +33229,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -33677,13 +33236,6 @@ ], "type": "uses" }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "tags": [ @@ -33692,7 +33244,7 @@ "type": "uses" }, { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -33712,6 +33264,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -33727,7 +33286,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -37210,15 +36769,9 @@ "description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)", "meta": { "external_id": "S0322", - "mitre_platforms": [ - "Android" - ], "refs": [ "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/", "https://attack.mitre.org/software/S0322" - ], - "synonyms": [ - "HummingBad" ] }, "related": [ @@ -37230,7 +36783,7 @@ "type": "uses" }, { - "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -37242,13 +36795,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", @@ -37444,6 +36990,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "tags": [ @@ -37452,21 +37005,7 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -37486,6 +37025,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "tags": [ @@ -37494,7 +37040,7 @@ "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", + "dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -37508,14 +37054,7 @@ "type": "uses" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -37528,27 +37067,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", "tags": [ @@ -37556,6 +37074,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -37590,6 +37115,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0522", + "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks", "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" ], "synonyms": [ @@ -37599,28 +37125,28 @@ }, "related": [ { - "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -37634,35 +37160,14 @@ "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -37676,7 +37181,7 @@ "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -37689,6 +37194,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ @@ -37697,7 +37209,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -38206,20 +37718,14 @@ "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)", "meta": { "external_id": "S0292", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0292", "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" - ], - "synonyms": [ - "AndroRAT" ] }, "related": [ { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -38232,13 +37738,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "80447111-8085-40a4-a052-420926091ac6", "tags": [ @@ -38254,7 +37753,14 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -38400,13 +37906,6 @@ ] }, "related": [ - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", "tags": [ @@ -38422,14 +37921,21 @@ "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -38539,6 +38045,13 @@ ] }, "related": [ + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "tags": [ @@ -38546,6 +38059,13 @@ ], "type": "uses" }, + { + "dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", "tags": [ @@ -38553,20 +38073,6 @@ ], "type": "uses" }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ @@ -38575,14 +38081,14 @@ "type": "uses" }, { - "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -38601,20 +38107,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "108b2817-bc01-404e-8e1b-8cdeec846326", @@ -38881,6 +38373,13 @@ ] }, "related": [ + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ @@ -38889,7 +38388,14 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -38923,13 +38429,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -38938,21 +38437,7 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -38973,7 +38458,14 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -39146,21 +38638,14 @@ "type": "uses" }, { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -39173,20 +38658,6 @@ ], "type": "uses" }, - { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "tags": [ @@ -39194,6 +38665,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ @@ -39208,6 +38686,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -39216,14 +38701,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -39370,15 +38848,9 @@ "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)", "meta": { "external_id": "S0325", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0325", "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" - ], - "synonyms": [ - "Judy" ] }, "related": [ @@ -39390,7 +38862,7 @@ "type": "uses" }, { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -39932,7 +39404,21 @@ }, "related": [ { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -39946,14 +39432,7 @@ "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -40571,6 +40050,13 @@ ] }, "related": [ + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ @@ -40585,13 +40071,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ @@ -40614,14 +40093,14 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -41108,16 +40587,10 @@ "description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)", "meta": { "external_id": "S0293", - "mitre_platforms": [ - "Android" - ], "refs": [ "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/", "https://attack.mitre.org/software/S0293", "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" - ], - "synonyms": [ - "BrainTest" ] }, "related": [ @@ -41128,6 +40601,13 @@ ], "type": "uses" }, + { + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ @@ -41136,14 +40616,7 @@ "type": "uses" }, { - "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -41372,6 +40845,13 @@ ] }, "related": [ + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -41387,14 +40867,14 @@ "type": "uses" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -41413,13 +40893,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "35aae10a-97c5-471a-9c67-02c231a7a31a", @@ -41656,20 +41129,6 @@ ] }, "related": [ - { - "dest-uuid": "039bc59c-ecc7-4997-b2b4-4ab728bd91aa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -41678,7 +41137,14 @@ "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -41692,7 +41158,21 @@ "type": "uses" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -41704,20 +41184,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f082fc59-0317-49cf-971f-a1b6296ebb52", @@ -42646,6 +42112,13 @@ ] }, "related": [ + { + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -42654,7 +42127,21 @@ "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -42668,21 +42155,7 @@ "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c7862ff-3449-4ac6-b0fd-ac1298a822a5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -42696,14 +42169,7 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -42745,7 +42211,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -43541,15 +43007,9 @@ "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)", "meta": { "external_id": "S0294", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0294", "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" - ], - "synonyms": [ - "ShiftyBug" ] }, "related": [ @@ -43568,7 +43028,7 @@ "type": "uses" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -45166,15 +44626,9 @@ "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)", "meta": { "external_id": "S0285", - "mitre_platforms": [ - "Android" - ], "refs": [ "http://thehackernews.com/2014/01/first-widely-distributed-android.html", "https://attack.mitre.org/software/S0285" - ], - "synonyms": [ - "OldBoot" ] }, "related": [ @@ -45407,14 +44861,14 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -45435,7 +44889,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -45558,6 +45012,13 @@ ] }, "related": [ + { + "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -45600,13 +45061,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -45615,14 +45069,14 @@ "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -45657,14 +45111,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -46743,27 +46190,21 @@ "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)", "meta": { "external_id": "S0286", - "mitre_platforms": [ - "Android" - ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/", "https://attack.mitre.org/software/S0286" - ], - "synonyms": [ - "OBAD" ] }, "related": [ { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -47536,38 +46977,18 @@ "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)", "meta": { "external_id": "S0287", - "mitre_platforms": [ - "iOS" - ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/", "https://attack.mitre.org/software/S0287" - ], - "synonyms": [ - "ZergHelper" ] }, "related": [ - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", @@ -47647,28 +47068,22 @@ "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)", "meta": { "external_id": "S0297", - "mitre_platforms": [ - "iOS" - ], "refs": [ "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/", "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/", "https://attack.mitre.org/software/S0297" - ], - "synonyms": [ - "XcodeGhost" ] }, "related": [ { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -47814,27 +47229,14 @@ "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)", "meta": { "external_id": "S0288", - "mitre_platforms": [ - "iOS" - ], "refs": [ "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/", "https://attack.mitre.org/software/S0288" - ], - "synonyms": [ - "KeyRaider" ] }, "related": [ { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -47855,15 +47257,9 @@ "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)", "meta": { "external_id": "S0299", - "mitre_platforms": [ - "Android" - ], "refs": [ "https://attack.mitre.org/software/S0299", "https://blog.lookout.com/blog/2014/11/19/notcompatible/" - ], - "synonyms": [ - "NotCompatible" ] }, "related": [ @@ -50591,13 +49987,6 @@ ] }, "related": [ - { - "dest-uuid": "039bc59c-ecc7-4997-b2b4-4ab728bd91aa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -50606,7 +49995,21 @@ "type": "uses" }, { - "dest-uuid": "27f483c6-6666-44fa-8532-ffd5fc7dab38", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -50620,21 +50023,7 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -50654,6 +50043,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ @@ -50668,6 +50064,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -50682,13 +50085,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "tags": [ @@ -52795,21 +52191,21 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -52822,20 +52218,6 @@ ], "type": "uses" }, - { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -52844,14 +52226,14 @@ "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -52865,7 +52247,7 @@ "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -52885,6 +52267,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -52900,7 +52289,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -56630,21 +56019,21 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -56657,13 +56046,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "tags": [ @@ -56671,20 +56053,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -56692,6 +56060,20 @@ ], "type": "uses" }, + { + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ @@ -56706,26 +56088,26 @@ ], "type": "uses" }, + { + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e4c347e9-fb91-4bc5-83b8-391e389131e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", @@ -56929,14 +56311,14 @@ "type": "uses" }, { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -56950,14 +56332,14 @@ "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -56971,14 +56353,7 @@ "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -56992,14 +56367,7 @@ "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -57020,7 +56388,7 @@ "type": "uses" }, { - "dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -57039,13 +56407,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "aef537ba-10c2-40ed-a57a-80b8508aada4", @@ -58095,7 +57456,14 @@ }, "related": [ { - "dest-uuid": "039bc59c-ecc7-4997-b2b4-4ab728bd91aa", + "dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -58116,14 +57484,14 @@ "type": "uses" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -58142,20 +57510,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "22faaa56-a8ac-4292-9be6-b571b255ee40", @@ -58192,7 +57546,14 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -58220,7 +57581,21 @@ "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "939808a7-121d-467a-b028-4441ee8b7cee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -58233,20 +57608,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ @@ -58267,13 +57628,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e296b110-46d3-4f7a-894c-cc71ea50168c", @@ -59676,14 +59030,14 @@ "type": "uses" }, { - "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad", + "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -59697,21 +59051,7 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "60623164-ccd8-4508-a141-b5a34820b3de", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -59731,6 +59071,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "tags": [ @@ -59746,21 +59093,7 @@ "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "dest-uuid": "939808a7-121d-467a-b028-4441ee8b7cee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -59781,7 +59114,7 @@ "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -59795,14 +59128,7 @@ "type": "uses" }, { - "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -59823,7 +59149,14 @@ "type": "uses" }, { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -59837,14 +59170,21 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -60326,14 +59666,21 @@ }, "related": [ { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -60346,20 +59693,6 @@ ], "type": "uses" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -60368,7 +59701,7 @@ "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -60382,7 +59715,7 @@ "type": "uses" }, { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -60409,6 +59742,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -60417,14 +59757,7 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -62603,14 +61936,21 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -62631,21 +61971,21 @@ "type": "uses" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -62671,20 +62011,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "aecc0097-c9f8-4786-9b39-e891ff173f54", @@ -62925,14 +62251,14 @@ "type": "uses" }, { - "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -62952,6 +62278,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "tags": [ @@ -62960,28 +62293,7 @@ "type": "uses" }, { - "dest-uuid": "786f488c-cb1f-4602-89c5-86d982ee326b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -62994,6 +62306,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ @@ -63016,14 +62335,14 @@ "type": "uses" }, { - "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -63232,7 +62551,14 @@ }, "related": [ { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -63246,7 +62572,7 @@ "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -63259,6 +62585,13 @@ ], "type": "uses" }, + { + "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -63266,13 +62599,6 @@ ], "type": "uses" }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ @@ -63280,20 +62606,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -63307,13 +62619,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a0d774e4-bafc-4292-8651-3ec899391341", @@ -63336,7 +62641,7 @@ }, "related": [ { - "dest-uuid": "2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", + "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -63349,6 +62654,20 @@ ], "type": "uses" }, + { + "dest-uuid": "37047267-3e56-453c-833e-d92b68118120", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -63356,6 +62675,13 @@ ], "type": "uses" }, + { + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ @@ -63377,6 +62703,13 @@ ], "type": "uses" }, + { + "dest-uuid": "939808a7-121d-467a-b028-4441ee8b7cee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -63385,7 +62718,7 @@ "type": "uses" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -63399,21 +62732,7 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -63426,13 +62745,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -63441,14 +62753,14 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -65699,7 +65011,7 @@ "type": "uses" }, { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -65739,13 +65051,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", @@ -68323,5 +67628,5 @@ "value": "HermeticWizard - S0698" } ], - "version": 25 + "version": 26 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index 1e8736f..92f19d3 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -1564,14 +1564,7 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1598,13 +1591,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", "tags": [ @@ -1620,21 +1606,35 @@ "type": "uses" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1654,6 +1654,20 @@ ], "type": "uses" }, + { + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "tags": [ @@ -1662,21 +1676,7 @@ "type": "uses" }, { - "dest-uuid": "e4c347e9-fb91-4bc5-83b8-391e389131e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4226,20 +4226,14 @@ "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)", "meta": { "external_id": "S0298", - "mitre_platforms": [ - "Android" - ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", "https://attack.mitre.org/software/S0298" - ], - "synonyms": [ - "Xbot" ] }, "related": [ { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4260,7 +4254,7 @@ "type": "similar" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4281,7 +4275,7 @@ "type": "similar" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6182,5 +6176,5 @@ "value": "Mythic - S0699" } ], - "version": 24 + "version": 25 }