MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2025-01-19 11:06:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #159 from Delta-Sierra/master

Browse source 
add MITRE Galaxies V2.0
This commit is contained in:
Alexandre Dulaunoy 2018-02-23 17:05:47 +01:00 committed by GitHub
commit e339438642
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
62 changed files with 33743 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
README.md
View file

@ -29,11 +29,26 @@ to localized information (which is not shared) or additional information (that c
- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
- [clusters/mitre_attack-pattern.json](clusters/mitre_attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_course-of-action.json](clusters/mitre_course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_intrusion-set.json](clusters/mitre_intrusion-set.json) - Intrusion Test - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_malware.json](clusters/mitre_malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_tool.json](clusters/mitre_tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre-attack-pattern.json](clusters/mitre-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-course-of-action.json](clusters/mitre-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-intrusion-set.json](clusters/mitre-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-malware.json](clusters/mitre-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-tool.json](clusters/mitre-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-entreprise-attack-attack-pattern.json](clusters/mitre-entreprise-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack
- [clusters/mitre-entreprise-attack-course-of-action.json](clusters/mitre-entreprise-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack
- [clusters/mitre-entreprise-attack-intrusion-set.json](clusters/mitre-entreprise-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack
- [clusters/mitre-entreprise-attack-relationship.json](clusters/mitre-entreprise-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Entreprise Attack
- [clusters/mitre-entreprise-attack-tool.json](clusters/mitre-entreprise-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack
- [clusters/mitre-mobile-attack-attack-pattern.json](clusters/mitre-mobile-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-course-of-action.json](clusters/mitre-mobile-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-intrusion-set.json](clusters/mitre-mobile-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-malware.json](clusters/mitre-mobile-attack-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-relationship.json](clusters/mitre-mobile-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Mobile Attack
- [clusters/mitre-mobile-attack-tool.json](clusters/mitre-mobile-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-pre-attack-attack-pattern.json](clusters/mitre-pre-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack
- [clusters/mitre-pre-attack-intrusion-set.json](clusters/mitre-pre-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack
- [clusters/mitre-pre-attack-relationship.json](clusters/mitre-pre-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Pre Attack
- [clusters/sectors.json](clusters/sectors.json) - Activity sectors
- [clusters/cert-eu-govsector.json](clusters/cert-eu-govsector.json) - Cert EU GovSector

0
clusters/mitre_attack-pattern.json → clusters/mitre-attack-pattern.json
View file

0
clusters/mitre_course-of-action.json → clusters/mitre-course-of-action.json
View file

3971
clusters/mitre-entreprise-attack-attack-pattern.json Normal file
View file

File diff suppressed because one or more lines are too long

928
clusters/mitre-entreprise-attack-course-of-action.json Normal file
View file

@ -0,0 +1,928 @@
{
"name": "Entreprise Attack - Course of Action",
"type": "mitre-entreprise-attack-course-of-action",
"description": "ATT&CK Mitigation",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "fb870a6a-1707-11e8-b548-17523e4d0670",
"authors": [
"MITRE"
],
"values": [
{
"description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.\n\nInstead, identify and block potentially malicious software that may execute, or be executed by, this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Component Object Model Hijacking Mitigation",
"uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e"
},
{
"description": "Mitigations for command and control apply. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Exfiltration Over Command and Control Channel Mitigation",
"uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8"
},
{
"description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: GDSecurity Linux injection)\n\nIdentify or block potentially malicious software that may contain process injection functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nUtilize Yama (Citation: Linux kernel Yama) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux (Citation: SELinux official), grsecurity (Citation: grsecurity official), and AppAmour (Citation: AppArmor official).",
"value": "Process Injection Mitigation",
"uuid": "74febc44-8955-4e4d-aca0-d4dad2f967d7"
},
{
"description": "Remove users from the local administrator group on systems. Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking. \n\nCheck for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate. (Citation: Github UACMe)",
"value": "Bypass User Account Control Mitigation",
"uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f"
},
{
"description": "Audit and/or block command-line interpreters by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Command-Line Interface Mitigation",
"uuid": "f28a20fd-d173-4603-807e-2cb3f51bdf04"
},
{
"description": "Disallow loading of remote DLLs. (Citation: Microsoft DLL Preloading) This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. (Citation: Microsoft DLL Search) Path Algorithm\n\nEnable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. <code>%SYSTEMROOT%</code>)to be used before local directory DLLs (e.g. a user's home directory). The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SafeDLLSearchMode</code> (Citation: Microsoft DLL Search)\n\nUse auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses. (Citation: Powersploit)\n\nIdentify and block potentially malicious software that may be executed through search order hijacking by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.",
"value": "DLL Search Order Hijacking Mitigation",
"uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04"
},
{
"description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports. \n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Uncommonly Used Port Mitigation",
"uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Network Share Discovery Mitigation",
"uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21"
},
{
"description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuess by adversaries.",
"value": "Regsvcs/Regasm Mitigation",
"uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a"
},
{
"description": "Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through Exploitation of Vulnerability. \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.",
"value": "Application Deployment Software Mitigation",
"uuid": "c88151a5-fe3f-4773-8147-d801587065a4"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Commonly Used Port Mitigation",
"uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95"
},
{
"description": "Disabling WMI or RPCS may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)",
"value": "Windows Management Instrumentation Mitigation",
"uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf"
},
{
"description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.",
"value": "Hooking Mitigation",
"uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf"
},
{
"description": "The sudoers file should be strictly edited such that passwords are always required and that users cant spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.",
"value": "Sudo Mitigation",
"uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c"
},
{
"description": "Modify Registry settings (directly or using Dcomcnfg.exe) in <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID}</code> associated with the process-wide security of individual COM applications. (Citation: Microsoft Process Wide Com Keys)\n\nModify Registry settings (directly or using Dcomcnfg.exe) in <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole</code> associated with system-wide security defaults for all COM applications that do no set their own process-wide security. (Citation: Microsoft System Wide Com Keys) (Citation: Microsoft COM) ACL\n\nConsider disabling DCOM through Dcomcnfg.exe. (Citation: Microsoft Disable DCOM)\n\nEnable Windows firewall, which prevents DCOM instantiation by default.\n\nEnsure all COM alerts and Protected View are enabled. (Citation: Microsoft Protected View)",
"value": "Distributed Component Object Model Mitigation",
"uuid": "910482b1-6749-4934-abcb-3e34d58294fc"
},
{
"description": "Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.\n\nPeriodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel). \n\nRequire that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:\\Windows\\</code>, to reduce places where malicious files could be placed for execution.\n\nIdentify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.",
"value": "Path Interception Mitigation",
"uuid": "e0703d4f-3972-424a-8277-84004817e024"
},
{
"description": "Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.\n\nIdentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) and Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Graphical User Interface Mitigation",
"uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d"
},
{
"description": "It may be difficult or inadvisable to block access to EA. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "NTFS Extended Attributes Mitigation",
"uuid": "ac008435-af58-4f77-988a-c9b96c5920f5"
},
{
"description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.\n\nIdentify and block potentially malicious software that may be used by an adversary by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Indicator Removal from Tools Mitigation",
"uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271"
},
{
"description": "Holding the Shift key while logging in prevents apps from opening automatically (Citation: Re-Open windows on Mac). This feature can be disabled entirely with the following terminal command: <code>defaults write -g ApplePersistence -bool no</code>.",
"value": "Re-opened Applications Mitigation",
"uuid": "61d02387-351a-453e-a575-160a9abc3e04"
},
{
"description": "Restrict user's abilities to create Launch Agents with group policy.",
"value": "Launch Agent Mitigation",
"uuid": "121b2863-5b97-4538-acb3-f8aae070ec13"
},
{
"description": "Other tools should be used to supplement Gatekeeper's functionality. Additionally, system settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.",
"value": "Gatekeeper Bypass Mitigation",
"uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158"
},
{
"description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Clipboard Data Mitigation",
"uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf"
},
{
"description": "Use and enforce multifactor authentication. Follow guidelines to prevent or limit adversary access to Valid Accounts that may be used to create privileged accounts within an environment.\n\nAdversaries that create local accounts on systems may have limited access within a network if access levels are properly locked down. These accounts may only be needed for persistence on individual systems and their usefulness depends on the utility of the system they reside on.\n\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.",
"value": "Create Account Mitigation",
"uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80"
},
{
"description": "Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Registry Run Keys / Start Folder Mitigation",
"uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a"
},
{
"description": "Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2)",
"value": "Multi-Stage Channels Mitigation",
"uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Data Staged Mitigation",
"uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd"
},
{
"description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.",
"value": "Launch Daemon Mitigation",
"uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Data from Removable Media Mitigation",
"uuid": "39706d54-0d06-4a25-816a-78cc43455100"
},
{
"description": "If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the <code>/Library/Preferences/com.apple.loginwindow</code> <code>Hide500Users</code> value will force all users to be visible.",
"value": "Hidden Users Mitigation",
"uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Data from Network Shared Drive Mitigation",
"uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd"
},
{
"description": "Prevent users from being able to write files to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. If users can't write to these directories, then they can't intercept the search path.",
"value": "Dylib Hijacking Mitigation",
"uuid": "dc43c2fe-355e-4a79-9570-3267b0992784"
},
{
"description": "Use multifactor authentication. Follow guidelines to prevent or limit adversary access to Valid Accounts.\n\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.",
"value": "Account Manipulation Mitigation",
"uuid": "fdb1ae84-7b00-4d3d-b7dc-c774beef6425"
},
{
"description": "It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. (Citation: Netspi PowerShell Execution Policy Bypass) Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.",
"value": "PowerShell Mitigation",
"uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2"
},
{
"description": "Block SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with whitelisting. (Citation: US-CERT SMB Security) (Citation: US-CERT APT Energy Oct 2017)\n\nFor internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nUse strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.",
"value": "Forced Authentication Mitigation",
"uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "System Information Discovery Mitigation",
"uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67"
},
{
"description": "Upgrade the operating system to a newer version of Windows if using a version prior to Vista. \n\nLimit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.\n\nIdentify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.",
"value": "Winlogon Helper DLL Mitigation",
"uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3"
},
{
"description": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (<code>C:\\Windows\\System32\\</code> by default) of a domain controller and/or local computer with a corresponding entry in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages</code>. (Citation: Microsoft Install Password Filter n.d)",
"value": "Password Filter DLL Mitigation",
"uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651"
},
{
"description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)",
"value": "Netsh Helper DLL Mitigation",
"uuid": "624d063d-cda8-4616-b4e4-54c04e427aec"
},
{
"description": "Follow best practices for mitigation of activity related to establishing Windows Admin Shares. \n\nIdentify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Network Share Connection Removal Mitigation",
"uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Connection Proxy Mitigation",
"uuid": "d75a3d1b-b536-4f15-a23c-f4bcc17837b8"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Application Window Discovery Mitigation",
"uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b"
},
{
"description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through uses of network proxies, gateways, and firewalls as appropriate. Disable or block services such as Windows Remote Management can be used externally. Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Two-Factor Authentication Interception techniques for some two-factor authentication implementations.",
"value": "External Remote Services Mitigation",
"uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2"
},
{
"description": "Monitor systems and domain logs for unusual credential logon activity. Prevent access to Valid Accounts. Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group. \n\nEnable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located <code>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy</code> Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons. (Citation: GitHub IAD Secure Host Baseline UAC Filtering)\n\nLimit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems. Ensure that built-in and created local administrator accounts have complex, unique passwords. Do not allow a domain user to be in the local administrator group on multiple systems.",
"value": "Pass the Hash Mitigation",
"uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e"
},
{
"description": "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located <code>HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators</code>. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Account Discovery Mitigation",
"uuid": "5c49bc54-9929-48ca-b581-7018219b5a97"
},
{
"description": "MSBuild.exe, dnx.exe, rcsi.exe, WinDbg.exe, cdb.exe, and tracker.exe may not be necessary within a given environment and should be removed if not used.\n\nUse application whitelisting configured to block execution of MSBuild.exe, dnx.exe, rcsi.exe, WinDbg.exe, and cdb.exe if they are not required for a given system or network to prevent potential misuse by adversaries. (Citation: Microsoft GitHub Device Guard CI Policies) (Citation: Exploit Monday Mitigate Device Guard Bypases) (Citation: GitHub mattifestation DeviceGuardBypass) (Citation: SubTee MSBuild)",
"value": "Trusted Developer Utilities Mitigation",
"uuid": "823fbfe9-b015-4bf3-9e67-d340c7373ca0"
},
{
"description": "Monitor domains for unusual credential logons. Limit credential overlap across systems to prevent the damage of credential compromise. Ensure that local administrator accounts have complex, unique passwords. Do not allow a user to be a local administrator for multiple systems. Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. (Citation: ADSecurity AD Kerberos Attacks)\n\nFor containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. (Citation: CERT-EU Golden Ticket Protection)\n\nAttempt to identify and block unknown or malicious software that could be used to obtain Kerberos tickets and use them to authenticate by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Pass the Ticket Mitigation",
"uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "System Owner/User Discovery Mitigation",
"uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44"
},
{
"description": "Monitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using Valid Accounts if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)\n\nManage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)\n\nConsider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)",
"value": "Credential Dumping Mitigation",
"uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a"
},
{
"description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting. (Citation: Secure Host Baseline EMET)",
"value": "Regsvr32 Mitigation",
"uuid": "12c13879-b7bd-4bc5-8def-aacec386d432"
},
{
"description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. \n\nAlthough process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Process Hollowing Mitigation",
"uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43"
},
{
"description": "Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.",
"value": "LC_MAIN Hijacking Mitigation",
"uuid": "6e7db820-9735-4545-bc64-039bc4ce354b"
},
{
"description": "Clean up SID-History attributes after legitimate account migration is complete.\n\nApply SID Filtering to domain trusts to exclude SID-History from requests to access domain resources (<code>netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:yes</code> (Citation: Microsoft Netdom Trust Sept 2012) on the domain controller). Domain SID Filtering is disabled by default.\n\nApply SID Filtering to forest trusts to exclude SID-History from request to access forest resources (<code>netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /EnableSIDHistory:no</code> (Citation: Microsoft Netdom Trust Sept 2012) on the domain controller). Forest SID Filtering is active by default, but may block child domains from transitively accessesing the forest trust.\n\nEnsure SID Filter Quarantining is enabled on trusted external domains (<code>netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine</code> (Citation: Microsoft Netdom Trust Sept 2012) on the domain controller) to ensure authentication requests only include SIDs from that domain. SID Filter Quarantining is automatically enabled on all created external trusts using Server 2003 or later domain controllers. (Citation: Microsoft Trust Considerations Nov 2014) (Citation: Microsoft SID) Filtering Quarantining Jan 2009",
"value": "SID-History Injection Mitigation",
"uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55"
},
{
"description": "Since StartupItems are deprecated, preventing all users from writing to the <code>/Library/StartupItems</code> directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they cant be leveraged for privilege escalation.",
"value": "Startup Items Mitigation",
"uuid": "94927849-03e3-4a07-8f4c-9ee21b626719"
},
{
"description": "Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. Audit and/or block potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Execution through API Mitigation",
"uuid": "56db6ccc-433d-4411-8383-c3fd7053e2c8"
},
{
"description": "Protect shared folders by minimizing users who have write access. Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).\n\nIdentify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Taint Shared Content Mitigation",
"uuid": "f0a42cad-9b1f-44da-a672-718f18381018"
},
{
"description": "Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Redundant Access Mitigation",
"uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e"
},
{
"description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.\n\nIn order to use domain fronting, attackers will likely need to deploy additional tools to compromised systems. (Citation: FireEye APT29 Domain Fronting With TOR March 2017) (Citation: Mandiant No Easy Breach) It may be possible to detect or prevent the installation of these tools with Host-based solutions.",
"value": "Domain Fronting Mitigation",
"uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96"
},
{
"description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to record audio by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Audio Capture Mitigation",
"uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d"
},
{
"description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "New Service Mitigation",
"uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab"
},
{
"description": "Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.",
"value": "Scripting Mitigation",
"uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6"
},
{
"description": "Prevent plist files from being modified by users by making them read-only.",
"value": "Plist Modification Mitigation",
"uuid": "2d704e56-e689-4011-b989-bf4e025a8727"
},
{
"description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass whitelisting. (Citation: Secure Host Baseline EMET)",
"value": "Rundll32 Mitigation",
"uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae"
},
{
"description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network black and white lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.",
"value": "Multi-hop Proxy Mitigation",
"uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Fallback Channels Mitigation",
"uuid": "515f6584-fa98-44fe-a4e8-e428c7188514"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "System Service Discovery Mitigation",
"uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2"
},
{
"description": "Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.",
"value": "Indicator Removal on Host Mitigation",
"uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0"
},
{
"description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.\n\nIdentify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.",
"value": "Service Registry Permissions Weakness Mitigation",
"uuid": "9378f139-10ef-4e4b-b679-2255a0818902"
},
{
"description": "Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Timestomp Mitigation",
"uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "System Network Configuration Discovery Mitigation",
"uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40"
},
{
"description": "Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity.",
"value": "Execution through Module Load Mitigation",
"uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf"
},
{
"description": "Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.\n\nEnsure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems.",
"value": "Shared Webroot Mitigation",
"uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5"
},
{
"description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)\n\nConfigure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SubmitControl</code>. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task)\n\nConfigure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Scheduled Task Mitigation",
"uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd"
},
{
"description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Binary Padding Mitigation",
"uuid": "16a8ac85-a06f-460f-ad22-910167bd7332"
},
{
"description": "Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.\n\nIdentify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Network Sniffing Mitigation",
"uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4"
},
{
"description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Data Encrypted Mitigation",
"uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)",
"value": "Standard Cryptographic Protocol Mitigation",
"uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)",
"value": "Multilayer Encryption Mitigation",
"uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec"
},
{
"description": "When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\\Windows\\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.\n\nIdentify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Masquerading Mitigation",
"uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae"
},
{
"description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "File System Logical Offsets Mitigation",
"uuid": "902286b2-96cc-4dd7-931f-e7340c9961da"
},
{
"description": "Limit the number of accounts that may use remote services. Use multifactor authentication where possible. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. Prevent Credential Access techniques that may allow an adversary to acquire Valid Accounts that can be used by existing services.",
"value": "Remote Services Mitigation",
"uuid": "979e6485-7a2f-42bd-ae96-4e622c3cd173"
},
{
"description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "File Deletion Mitigation",
"uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d"
},
{
"description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nIf network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.",
"value": "Data Compressed Mitigation",
"uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33"
},
{
"description": "Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing.",
"value": "AppleScript Mitigation",
"uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301"
},
{
"description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer which have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
"value": "Mshta Mitigation",
"uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2"
},
{
"description": "Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code>, which requires all DLLs loaded by LSA to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
"value": "Authentication Package Mitigation",
"uuid": "943d370b-2054-44df-8be2-ab4139bde1c5"
},
{
"description": "There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:\n<code>set +o history</code> and <code>set -o history</code> to start logging again;\n<code>unset HISTFILE</code> being added to a user's .bash_rc file; and\n<code>ln -s /dev/null ~/.bash_history</code> to write commands to <code>/dev/null</code>instead.",
"value": "Bash History Mitigation",
"uuid": "ace4daee-f914-4707-be75-843f16da2edf"
},
{
"description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.",
"value": "Port Monitors Mitigation",
"uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b"
},
{
"description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify and block potentially malicious software that may be executed through IFEO by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executables.",
"value": "Image File Execution Options Injection Mitigation",
"uuid": "33f76731-b840-446f-bee0-53687dad24d9"
},
{
"description": "Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasnt included as part of an update, it should be investigated.",
"value": "LC_LOAD_DYLIB Addition Mitigation",
"uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604"
},
{
"description": "Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique. \n\nClose all browser sessions regularly and when they are no longer needed.",
"value": "Man in the Browser Mitigation",
"uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7"
},
{
"description": "Block .scr files from being executed from non-standard locations. Set Group Policy to force users to have a dedicated screensaver where local changes should not override the settings to prevent changes. Use Group Policy to disable screensavers if they are unnecessary. (Citation: TechNet Screensaver GP)",
"value": "Screensaver Mitigation",
"uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3"
},
{
"description": "To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later. (Citation: TechNet RDP NLA)\n\nIf possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network. (Citation: TechNet RDP Gateway)\n\nIdentify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Accessibility Features Mitigation",
"uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8"
},
{
"description": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform this action. Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)",
"value": "Bootkit Mitigation",
"uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751"
},
{
"description": "Take measures to detect or prevent techniques such as Credential Dumping or installation of keyloggers to acquire credentials through Input Capture. Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access). Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege)",
"value": "Valid Accounts Mitigation",
"uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf"
},
{
"description": "Only install browser extensions from trusted sources that can be verified. Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.\n\nBrowser extensions for some browsers can be controlled through Group Policy. Set a browser extension white or black list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP)\n\nChange settings to prevent the browser from installing extensions without sufficient permissions.\n\nClose out all browser sessions when finished using them.",
"value": "Browser Extensions Mitigation",
"uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8"
},
{
"description": "Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.",
"value": "Disabling Security Tools Mitigation",
"uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Query Registry Mitigation",
"uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b"
},
{
"description": "Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.",
"value": ".bash_profile and .bashrc Mitigation",
"uuid": "4f170666-7edb-4489-85c2-9affa28a72e0"
},
{
"description": "Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Patch the BIOS and EFI as necessary. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module)",
"value": "System Firmware Mitigation",
"uuid": "25e53928-6f33-49b7-baee-8180578286f6"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Multiband Communication Mitigation",
"uuid": "da987565-27b6-4b31-bbcd-74b909847116"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Remote System Discovery Mitigation",
"uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2"
},
{
"description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "File and Directory Discovery Mitigation",
"uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1"
},
{
"description": "Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses. (Citation: Powersploit)\n\nIdentify and block potentially malicious software that may be executed through abuse of file, directory, and service permissions by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs. Deny execution from user directories such as file download directories and temp directories where able. (Citation: Seclists Kanthak 7zip Installer)\n\nTurn off UAC's privilege elevation for standard users <code>[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System]</code>to automatically deny elevation requests, add: <code>\"ConsentPromptBehaviorUser\"=dword:00000000</code> (Citation: Seclists Kanthak 7zip Installer). Consider enabling installer detection for all users by adding: <code>\"EnableInstallerDetection\"=dword:00000001</code>. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: <code>\"EnableInstallerDetection\"=dword:00000000</code>. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.",
"value": "File System Permissions Weakness Mitigation",
"uuid": "1022138b-497c-40e6-b53a-13351cbd4090"
},
{
"description": "Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. Also ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to interact with Windows services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Service Execution Mitigation",
"uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64"
},
{
"description": "Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised.",
"value": "Setuid and Setgid Mitigation",
"uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19"
},
{
"description": "Due to potential legitimate uses of trap commands, it's may be difficult to mitigate use of this technique.",
"value": "Trap Mitigation",
"uuid": "809b79cd-be78-4597-88d1-5496d1d9993a"
},
{
"description": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)",
"value": "Communication Through Removable Media Mitigation",
"uuid": "b8d57b16-d8e2-428c-a645-1083795b3445"
},
{
"description": "Remove smart cards when not in use. Protect devices and services used to transmit and receive out-of-band codes.\n\nIdentify and block potentially malicious software that may be used to intercept 2FA credentials on a system by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Two-Factor Authentication Interception Mitigation",
"uuid": "e8d22ec6-2236-48de-954b-974d17492782"
},
{
"description": "On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code> to <code>dword:00000001</code>. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.\n\nOn Windows 10 and Server 2016, enable Windows Defender Credential Guard (Citation: Microsoft Enable Cred Guard April 2017) to run lsass.exe in an isolated virtualized environment without any device drivers. (Citation: Microsoft Credential Guard April 2017)\n\nEnsure safe DLL search mode is enabled <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode</code> to mitigate risk that lsass.exe loads a malicious code library. (Citation: Microsoft DLL Security)",
"value": "LSASS Driver Mitigation",
"uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b"
},
{
"description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Standard Non-Application Layer Protocol Mitigation",
"uuid": "399d9038-b100-43ef-b28d-a5065106b935"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Data Transfer Size Limits Mitigation",
"uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee"
},
{
"description": "Upgrade to Windows 8 or later and enable secure boot.\n\nIdentify and block potentially malicious software that may be executed through AppInit DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.",
"value": "AppInit DLLs Mitigation",
"uuid": "10571bf2-8073-4edf-a71c-23bad225532e"
},
{
"description": "InstallUtil may not be necessary within a given environment. Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
"value": "InstallUtil Mitigation",
"uuid": "ec418d1b-4963-439f-b055-f914737ef362"
},
{
"description": "Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. (Citation: UCF STIG Symbolic Links)\n\nIdentify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Shortcut Modification Mitigation",
"uuid": "a13e35cc-8c90-4d77-a965-5461042c1612"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Custom Command and Control Protocol Mitigation",
"uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3"
},
{
"description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Automated Exfiltration Mitigation",
"uuid": "2497ac92-e751-4391-82c6-1b86e34d0294"
},
{
"description": "Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. (Citation: MSDN File Associations)\n\nIdentify and block potentially malicious software that may be executed by this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Change Default File Association Mitigation",
"uuid": "d7c49196-b40e-42bc-8eed-b803113692ed"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Peripheral Device Discovery Mitigation",
"uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Standard Application Layer Protocol Mitigation",
"uuid": "addb3703-5a59-4461-9bcd-7e2b5d4e92a0"
},
{
"description": "Prevent users from changing the <code>HISTCONTROL</code> environment variable (Citation: Securing bash history). Also, make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredup” instead of “ignoreboth” or “ignorespace”.",
"value": "HISTCONTROL Mitigation",
"uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330"
},
{
"description": "Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nIn cases where this behavior is difficult to detect or mitigate, efforts can be made to lessen some of the impact that might result from an adversary acquiring credential information. It is also good practice to follow mitigation recommendations for adversary use of Valid Accounts.",
"value": "Input Capture Mitigation",
"uuid": "da8a87d2-946d-4c34-9a30-709058b98996"
},
{
"description": "Restrict users from being able to create their own login items. Additionally, holding the shift key during login prevents apps from opening automatically (Citation: Re-Open windows on Mac).",
"value": "Login Item Mitigation",
"uuid": "06824aa2-94a5-474c-97f6-57c2e983d885"
},
{
"description": "Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code>, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
"value": "Security Support Provider Mitigation",
"uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac"
},
{
"description": "Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. Ensure that all private keys are stored securely in locations where only the legitimate owner has access to with strong passwords and are rotated frequently. Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. Do not allow remote access via SSH as root or other privileged accounts. Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. (Citation: Symantec SSH and ssh-agent)",
"value": "SSH Hijacking Mitigation",
"uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Process Discovery Mitigation",
"uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b"
},
{
"description": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if it is not required for business operations. (Citation: TechNet Removable Media Control)\n\nIdentify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Replication Through Removable Media Mitigation",
"uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Scheduled Transfer Mitigation",
"uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824"
},
{
"description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.",
"value": "Hypervisor Mitigation",
"uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739"
},
{
"description": "Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through Input Capture and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through Brute Force techniques.\n\nIdentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Automated Collection Mitigation",
"uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152"
},
{
"description": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)",
"value": "Exfiltration Over Physical Medium Mitigation",
"uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145"
},
{
"description": "There currently aren't a lot of ways to mitigate application shimming. Disabling the Shim Engine isn't recommended because Windows depends on shimming for interoperability and software may become unstable or not work. Microsoft released an optional patch update - KB3045645 - that will remove the \"auto-elevate\" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. \n\nChanging UAC settings to \"Always Notify\" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.",
"value": "Application Shimming Mitigation",
"uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f"
},
{
"description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs. Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule jobs using whitelisting tools.",
"value": "Local Job Scheduling Mitigation",
"uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e"
},
{
"description": "Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.",
"value": "Hidden Files and Directories Mitigation",
"uuid": "84d633a4-dd93-40ca-8510-40238c021931"
},
{
"description": "Prevent files from having a trailing space after the extension.",
"value": "Space after Filename Mitigation",
"uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22"
},
{
"description": "Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Even setting to disable with notification could enable unsuspecting users to execute potentially malicious macros. (Citation: TechNet Office Macro Security)\n\nFor the Office Test method, create the Registry key used to execute it and set the permissions to \"Read Control\" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. (Citation: Palo Alto Office Test Sofacy)\n\nDisable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. (Citation: MRWLabs Office Persistence Add-ins)",
"value": "Office Application Startup Mitigation",
"uuid": "8ca6a5e0-aae5-49bc-8d07-f888c7dba9ea"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Data Encoding Mitigation",
"uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b"
},
{
"description": "Due to potential legitimate uses of source commands, it's may be difficult to mitigate use of this technique.",
"value": "Source Mitigation",
"uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a"
},
{
"description": "Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.",
"value": "DLL Side-Loading Mitigation",
"uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908"
},
{
"description": "Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.",
"value": "Launchctl Mitigation",
"uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc"
},
{
"description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Rootkit Mitigation",
"uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f"
},
{
"description": "Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through Service Registry Permissions Weakness. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Modify Registry Mitigation",
"uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc"
},
{
"description": "Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "System Time Discovery Mitigation",
"uuid": "82d8e990-c901-4aed-8596-cc002e7eb307"
},
{
"description": "Identify and block potentially malicious software that may be executed through AppCert DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.",
"value": "AppCert DLLs Mitigation",
"uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "System Network Connections Discovery Mitigation",
"uuid": "c1676218-c16a-41c9-8f7a-023779916e39"
},
{
"description": "Ensure Protected View is enabled. (Citation: Microsoft Protected View)\n\nRegistry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017)",
"value": "Dynamic Data Exchange Mitigation",
"uuid": "80c91478-ac87-434f-bee7-11f37aec4d74"
},
{
"description": "Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)\n\nUse host-based security software to block LLMNR/NetBIOS traffic.",
"value": "LLMNR/NBT-NS Poisoning Mitigation",
"uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22"
},
{
"description": "Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Screen Capture Mitigation",
"uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55"
},
{
"description": "Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Windows Admin Shares Mitigation",
"uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Deobfuscate/Decode Files or Information Mitigation",
"uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0"
},
{
"description": "Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their <code>~/.bash_history</code> files. Additionally, making these environment variables readonly can make sure that the history is preserved (Citation: Securing bash history).",
"value": "Clear Command History Mitigation",
"uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483"
},
{
"description": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Toolkits like the PowerSploit framework contain the PowerUp modules that can be used to explore systems for Privilege Escalation weaknesses. (Citation: Powersploit)\n\nIdentify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.",
"value": "Modify Existing Service Mitigation",
"uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf"
},
{
"description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through Exploitation of Vulnerability. \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.",
"value": "Third-party Software Mitigation",
"uuid": "160af6af-e733-4b6a-a04a-71c620ac0930"
},
{
"description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Video Capture Mitigation",
"uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d"
},
{
"description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough EWM injection may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Extra Window Memory Injection Mitigation",
"uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440"
},
{
"description": "HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)",
"value": "Install Root Certificate Mitigation",
"uuid": "23061b40-a7b6-454f-8950-95d5ff80331c"
},
{
"description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Use multifactor authentication. Follow best practices for mitigating access to Valid Accounts",
"value": "Brute Force Mitigation",
"uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c"
},
{
"description": "The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.",
"value": "Keychain Mitigation",
"uuid": "56648de3-8947-4559-90c4-eda10acc0f5a"
},
{
"description": "Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.\n\nUse of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Email Collection Mitigation",
"uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7"
},
{
"description": "Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, virtualization, and exploit prevention tools such as the Microsoft Enhanced Mitigation Experience Toolkit. (Citation: SRD EMET)",
"value": "Exploitation of Vulnerability Mitigation",
"uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Remote File Copy Mitigation",
"uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a"
},
{
"description": "Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. For example, if services like FTP are not required for sending information outside of a network, then block FTP-related ports at the network perimeter. Enforce proxies and use dedicated servers for services such as DNS and only allow those systems to communicate over respective ports/protocols, instead of all systems within a network. (Citation: TechNet Firewall Design) These actions will help reduce command and control and exfiltration path opportunities.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Exfiltration Over Alternative Protocol Mitigation",
"uuid": "0e5bdf42-a7f7-4d16-a074-4915bd262f80"
},
{
"description": "Use strong passphrases for private keys to make cracking difficult. When possible, store keys on separate cryptographic hardware instead of on the local system. Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement. Follow other best practices for mitigating access through use of Valid Accounts.",
"value": "Private Keys Mitigation",
"uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e"
},
{
"description": "Limit privileges of user accounts so only authorized users can edit the rc.common file.",
"value": "Rc.common Mitigation",
"uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482"
},
{
"description": "Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.\n\nAny user can also spoof access tokens if they have legitimate credentials. Follow mitigation guidelines for preventing adversary use of Valid Accounts. Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. (Citation: Microsoft Replace Process Token)\n\nAlso limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.",
"value": "Access Token Manipulation Mitigation",
"uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6"
},
{
"description": "Whitelist programs that are allowed to have this plist tag. All other programs should be considered suspicious.",
"value": "Hidden Window Mitigation",
"uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a"
},
{
"description": "Disable the RDP service if it is unnecessary, remove unnecessary accounts and groups from Remote Desktop Users groups, and enable firewall rules to block RDP traffic between network security zones. Audit the Remote Desktop Users group membership regularly. Remove the local Administrators group from the list of groups allowed to log in through RDP. Limit remote user permissions if remote access is necessary. Use remote desktop gateways and multifactor authentication for remote logins. (Citation: Berkley Secure) Do not leave RDP accessible from the internet. Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server. (Citation: Windows RDP Sessions)",
"value": "Remote Desktop Protocol Mitigation",
"uuid": "53b3b027-bed3-480c-9101-1247047d0fe6"
},
{
"description": "Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Web Service Mitigation",
"uuid": "4689b9fb-dca4-473e-831b-34717ad50c97"
},
{
"description": "Users need to be trained to know which programs ask for permission and why. Follow mitigation recommendations for AppleScript.",
"value": "Input Prompt Mitigation",
"uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df"
},
{
"description": "Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Network Service Scanning Mitigation",
"uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3"
},
{
"description": "Disabling WMI services may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)",
"value": "Windows Management Instrumentation Event Subscription Mitigation",
"uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Data from Local System Mitigation",
"uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Since the custom protocol used may not adhere to typical protocol standards, there may be opportunities to signature the traffic on a network level for detection. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Custom Cryptographic Protocol Mitigation",
"uuid": "a569295c-a093-4db4-9fb4-7105edef85ad"
},
{
"description": "Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences. (Citation: Microsoft MS14-025)",
"value": "Credentials in Files Mitigation",
"uuid": "0472af99-f25c-4abe-9fce-010fa3450e72"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Permission Groups Discovery Mitigation",
"uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987"
},
{
"description": "Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating Credential Access techniques and limiting account access and permissions of Valid Accounts.\n\nIdentify and block potentially malicious software that may be executed through logon script modification by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.",
"value": "Logon Scripts Mitigation",
"uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2"
},
{
"description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)",
"value": "Code Signing Mitigation",
"uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08"
},
{
"description": "Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices. (Citation: NSA Spotting)",
"value": "Windows Remote Management Mitigation",
"uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025"
},
{
"description": "Ensure that externally facing Web servers are patched regularly to prevent adversary access through Exploitation of Vulnerability to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages. \n\nAudit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)",
"value": "Web Shell Mitigation",
"uuid": "bcc91b8c-f104-4710-964e-1d5409666736"
},
{
"description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough Process Doppelgänging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Process Doppelgänging Mitigation",
"uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31"
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)",
"value": "Data Obfuscation Mitigation",
"uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e"
},
{
"description": "Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.\n\nIdentify and prevent execution of potentially malicious software that may have been packed by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Software Packing Mitigation",
"uuid": "c95c8b5c-b431-43c9-9557-f494805e2502"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Security Software Discovery Mitigation",
"uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae"
}
]
}

971
clusters/mitre-entreprise-attack-intrusion-set.json Normal file
View file

@ -0,0 +1,971 @@
{
"name": "Entreprise Attack -intrusion Set",
"type": "mitre-entreprise-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775",
"authors": [
"MITRE"
],
"values": [
{
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. (Citation: Kaspersky Poseidon Group)",
"value": "Poseidon Group",
"meta": {
"synonyms": [
"Poseidon Group"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0033",
"https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/"
]
},
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446"
},
{
"description": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)",
"value": "Group5",
"meta": {
"synonyms": [
"Group5"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0043",
"https://citizenlab.org/2016/08/group5-syria/"
]
},
"uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40"
},
{
"description": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014)",
"value": "PittyTiger",
"meta": {
"synonyms": [
"PittyTiger"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0011",
"http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html"
]
},
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647"
},
{
"description": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. (Citation: FireEye admin@338)",
"value": "admin@338",
"meta": {
"synonyms": [
"admin@338"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0018",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
]
},
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756"
},
{
"description": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). (Citation: ESET RTM Feb 2017)",
"value": "RTM",
"meta": {
"synonyms": [
"RTM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0048",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
]
},
"uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f"
},
{
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)",
"value": "APT16",
"meta": {
"synonyms": [
"APT16"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
]
},
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70"
},
{
"description": "is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)\n\nContributors: Alan Neville, @abnev",
"value": "Sowbug",
"meta": {
"synonyms": [
"Sowbug"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0054",
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
]
},
"uuid": "d1acfbb3-647b-4723-9154-800ec119006e"
},
{
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28",
"meta": {
"synonyms": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
},
{
"description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"value": "Winnti Group",
"meta": {
"synonyms": [
"Winnti Group",
"Blackfly"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0044",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/games-are-over/70991/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf"
]
},
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff"
},
{
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine)",
"value": "Deep Panda",
"meta": {
"synonyms": [
"Deep Panda",
"Shell Crew",
"WebMasters",
"KungFu Kittens",
"PinkPanther",
"Black Vine"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0009",
"https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
"https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-black-vine-cyberespionage-group.pdf"
]
},
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064"
},
{
"description": "Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. (Citation: DustySky) (Citation: DustySky)2",
"value": "Molerats",
"meta": {
"synonyms": [
"Molerats",
"Operation Molerats",
"Gaza Cybergang"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0021"
]
},
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411"
},
{
"description": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. (Citation: Symantec Strider Blog) (Citation: Kaspersky ProjectSauron Blog)",
"value": "Strider",
"meta": {
"synonyms": [
"Strider",
"ProjectSauron"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0041",
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
"https://securelist.com/faq-the-projectsauron-apt/75533/"
]
},
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656"
},
{
"description": "Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia. (Citation: iSIGHT Sandworm 2014)",
"value": "Sandworm Team",
"meta": {
"synonyms": [
"Sandworm Team",
"Quedagh"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0034",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"
]
},
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192"
},
{
"description": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. (Citation: FireEye FIN6 April 2016)",
"value": "FIN6",
"meta": {
"synonyms": [
"FIN6"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0037",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
]
},
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb"
},
{
"description": "Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)",
"value": "Dust Storm",
"meta": {
"synonyms": [
"Dust Storm"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0031",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op%20Dust%20Storm%20Report.pdf"
]
},
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31"
},
{
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)",
"value": "Cleaver",
"meta": {
"synonyms": [
"Cleaver",
"TG-2889",
"Threat Group 2889"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0003",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
]
},
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063"
},
{
"description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)",
"value": "APT12",
"meta": {
"synonyms": [
"APT12",
"IXESHE",
"DynCalc",
"Numbered Panda",
"DNSCALC"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
]
},
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
},
{
"description": "is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"value": "NEODYMIUM",
"meta": {
"synonyms": [
"NEODYMIUM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0055",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf"
]
},
"uuid": "025bdaa9-897d-4bad-afa6-013ba5734653"
},
{
"description": "APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways. (Citation: FireEye APT34 Dec 2017)",
"value": "APT34",
"meta": {
"synonyms": [
"APT34"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0057",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
]
},
"uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6"
},
{
"description": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. (Citation: Haq 2014)",
"value": "Moafee",
"meta": {
"synonyms": [
"Moafee"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0002",
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
]
},
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f"
},
{
"description": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017)",
"value": "Threat Group-3390",
"meta": {
"synonyms": [
"Threat Group-3390",
"TG-3390",
"Emissary Panda",
"BRONZE UNION"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0027",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://www.secureworks.com/research/bronze-union"
]
},
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c"
},
{
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)",
"value": "DragonOK",
"meta": {
"synonyms": [
"DragonOK"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0017",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
]
},
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a"
},
{
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1",
"meta": {
"synonyms": [
"APT1",
"Comment Crew",
"Comment Group",
"Comment Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
},
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662"
},
{
"description": "FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)",
"value": "FIN10",
"meta": {
"synonyms": [
"FIN10"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0051",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf"
]
},
"uuid": "fbe9387f-34e6-4828-ac28-3080020c597b"
},
{
"description": "OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2015. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook OilRig Dec 2017) Reporting on OilRig may loosely overlap with APT34, but may not wholly align due to companies tracking groups in different ways. (Citation: FireEye APT34 Dec 2017)\n\nContributors: Robert Falcone, Bryan Lee",
"value": "OilRig",
"meta": {
"synonyms": [
"OilRig"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0049",
"http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/",
"http://www.clearskysec.com/oilrig/",
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/",
"https://pan-unit42.github.io/playbook%20viewer/",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
]
},
"uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d"
},
{
"description": "is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, Rocket Kitten, resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)",
"value": "Charming Kitten",
"meta": {
"synonyms": [
"Charming Kitten"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0058",
"http://www.clearskysec.com/wp-content/uploads/2017/12/Charming%20Kitten%202017.pdf"
]
},
"uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0"
},
{
"description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)\n\nContributors: Walker Johnson",
"value": "FIN5",
"meta": {
"synonyms": [
"FIN5"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0053",
"https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html",
"https://www.youtube.com/watch?v=fevGZs0EQu8",
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?"
]
},
"uuid": "85403903-15e0-4f9f-9be4-a259ecad4022"
},
{
"description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government. (Citation: TrendMicro Taidoor)",
"value": "Taidoor",
"meta": {
"synonyms": [
"Taidoor"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0015",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20the%20taidoor%20campaign.pdf"
]
},
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46"
},
{
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)",
"value": "Night Dragon",
"meta": {
"synonyms": [
"Night Dragon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
]
},
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
},
{
"description": "Naikon is a threat group that has focused on targets around the South China Sea. (Citation: Baumgartner Naikon 2015) The group has been attributed to the Chinese Peoples Liberation Armys (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). (Citation: CameraShy) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
"value": "Naikon",
"meta": {
"synonyms": [
"Naikon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0019",
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf",
"http://cdn2.hubspot.net/hubfs/454298/Project%20CAMERASHY%20ThreatConnect%20Copyright%202015.pdf",
"https://securelist.com/the-naikon-apt/69953/"
]
},
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050"
},
{
"description": "Ke3chang is a threat group attributed to actors operating out of China. (Citation: Villeneuve et al 2014)",
"value": "Ke3chang",
"meta": {
"synonyms": [
"Ke3chang"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0004",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
]
},
"uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c"
},
{
"description": "APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists, and has extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017)",
"value": "APT32",
"meta": {
"synonyms": [
"APT32",
"OceanLotus Group"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0050",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
"https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/"
]
},
"uuid": "247cb30b-955f-42eb-97a5-a89fef69341e"
},
{
"description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)",
"value": "Patchwork",
"meta": {
"synonyms": [
"Patchwork",
"Dropping Elephant",
"Chinastrats"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0040",
"https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling%20Patchwork.pdf",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries"
]
},
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0"
},
{
"description": "APT30 is a threat group suspected to be associated with the Chinese government. (Citation: FireEye APT30) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
"value": "APT30",
"meta": {
"synonyms": [
"APT30"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0013",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://securelist.com/the-naikon-apt/69953/"
]
},
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd"
},
{
"description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent. (Citation: Forcepoint Monsoon) Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010. (Citation: Operation Hangover May 2013)",
"value": "MONSOON",
"meta": {
"synonyms": [
"MONSOON",
"Operation Hangover"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0042",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling%20an%20Indian%20Cyberattack%20Infrastructure.pdf"
]
},
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772"
},
{
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)",
"value": "APT17",
"meta": {
"synonyms": [
"APT17",
"Deputy Dog"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
]
},
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae"
},
{
"description": "FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware. It is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017)",
"value": "FIN7",
"meta": {
"synonyms": [
"FIN7"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0046",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
]
},
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc"
},
{
"description": "APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\n (Citation: APT3 Adversary Emulation Plan)",
"value": "APT3",
"meta": {
"synonyms": [
"APT3",
"Gothic Panda",
"Pirpi",
"UPS Team",
"Buckeye",
"Threat Group-0110",
"TG-0110"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0022",
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"https://www.recordedfuture.com/chinese-mss-behind-apt3/",
"https://www.fireeye.com/blog/threat-research/2014/11/operation%20doubletap.html",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://attack.mitre.org/w/img%20auth.php/6/6c/APT3%20Adversary%20Emulation%20Plan.pdf"
]
},
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9"
},
{
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)",
"value": "GCMAN",
"meta": {
"synonyms": [
"GCMAN"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0036",
"https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/"
]
},
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f"
},
{
"description": "Lazarus Group is a threat group that has been attributed to the North Korean government. (Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)",
"value": "Lazarus Group",
"meta": {
"synonyms": [
"Lazarus Group",
"HIDDEN COBRA",
"Guardians of Peace",
"ZINC",
"NICKEL ACADEMY"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0032",
"https://www.us-cert.gov/ncas/alerts/TA17-164A",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
]
},
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a"
},
{
"description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)",
"value": "Lotus Blossom",
"meta": {
"synonyms": [
"Lotus Blossom",
"Spring Dragon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0030",
"https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
]
},
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7"
},
{
"description": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)",
"value": "Equation",
"meta": {
"synonyms": [
"Equation"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0020",
"https://securelist.com/files/2015/02/Equation%20group%20questions%20and%20answers.pdf"
]
},
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9"
},
{
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center WiFi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. (Citation: Kaspersky Darkhotel)",
"value": "Darkhotel",
"meta": {
"synonyms": [
"Darkhotel"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0012",
"https://securelist.com/files/2014/11/darkhotel%20kl%2007.11.pdf"
]
},
"uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383"
},
{
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. The group appeared to decrease activity following public exposure in 2014, and re-emerged in late 2015 through 2017. (Citation: Symantec Dragonfly) (Citation: Symantec Dragonfly) Sept 2017",
"value": "Dragonfly",
"meta": {
"synonyms": [
"Dragonfly",
"Energetic Bear"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0035",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf"
]
},
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1"
},
{
"description": "Suckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)",
"value": "Suckfly",
"meta": {
"synonyms": [
"Suckfly"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0039",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
]
},
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d"
},
{
"description": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)",
"value": "Stealth Falcon",
"meta": {
"synonyms": [
"Stealth Falcon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0038",
"https://citizenlab.org/2016/05/stealth-falcon/"
]
},
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8"
},
{
"description": "BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)",
"value": "BRONZE BUTLER",
"meta": {
"synonyms": [
"BRONZE BUTLER",
"REDBALDKNIGHT",
"Tick"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0060",
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
]
},
"uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90"
},
{
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)",
"value": "Scarlet Mimic",
"meta": {
"synonyms": [
"Scarlet Mimic"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0029",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
]
},
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7"
},
{
"description": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)",
"value": "Threat Group-1314",
"meta": {
"synonyms": [
"Threat Group-1314",
"TG-1314"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0028",
"http://www.secureworks.com/resources/blog/living-off-the-land/"
]
},
"uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983"
},
{
"description": "Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. They are known for conducting watering hole and spearphishing campaigns. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017)",
"value": "Turla",
"meta": {
"synonyms": [
"Turla",
"Waterbug",
"WhiteBear"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0010",
"https://securelist.com/the-epic-turla-operation/65545/",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"
]
},
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6"
},
{
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)",
"value": "APT29",
"meta": {
"synonyms": [
"APT29",
"The Dukes",
"Cozy Bear",
"CozyDuke"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0016",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
]
},
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542"
},
{
"description": "menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017)",
"value": "menuPass",
"meta": {
"synonyms": [
"menuPass",
"Stone Panda",
"APT10",
"Red Apollo",
"CVNX"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0045",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10%20menupass%20grou.html"
]
},
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f"
},
{
"description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)",
"value": "Putter Panda",
"meta": {
"synonyms": [
"Putter Panda",
"APT2",
"MSUpdater"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0024",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
]
},
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45"
},
{
"description": " (Citation: Axiom) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Axiom) Though both this group and Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"value": "Axiom",
"meta": {
"synonyms": [
"Axiom",
"Group 72"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0001",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/games-are-over/70991/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf"
]
},
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973"
},
{
"description": "Magic Hound is an espionage campaign operating primarily in the Middle East that dates back to at least mid-2016. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. (Citation: Unit 42 Magic Hound Feb 2017)\n\nContributors: Bryan Lee",
"value": "Magic Hound",
"meta": {
"synonyms": [
"Magic Hound",
"Rocket Kitten",
"Operation Saffron Rose",
"Ajax Security Team",
"Operation Woolen-Goldfish",
"Newscaster",
"Cobalt Gypsy"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0059",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
]
},
"uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13"
},
{
"description": "is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"value": "PROMETHIUM",
"meta": {
"synonyms": [
"PROMETHIUM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0056",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf"
]
},
"uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c"
},
{
"description": "Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: Kaspersky Carbanak) (Citation: FireEye FIN7 April 2017)\n\nContributors: Anastasios Pingios",
"value": "Carbanak",
"meta": {
"synonyms": [
"Carbanak",
"Anunak",
"Carbon Spider"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0008",
"https://securelist.com/files/2015/02/Carbanak%20APT%20eng.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
]
},
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c"
},
{
"description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)",
"value": "APT18",
"meta": {
"synonyms": [
"APT18",
"Threat Group-0416",
"TG-0416",
"Dynamite Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0026",
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
]
},
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648"
},
{
"description": "CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)",
"value": "CopyKittens",
"meta": {
"synonyms": [
"CopyKittens"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0052",
"http://www.clearskysec.com/copykitten-jpost/",
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation%20Wilted%20Tulip.pdf",
"https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf"
]
},
"uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a"
},
{
"description": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. (Citation: Palo Alto Gamaredon Feb 2017)",
"value": "Gamaredon Group",
"meta": {
"synonyms": [
"Gamaredon Group"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0047",
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
]
},
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf"
}
]
}

2291
clusters/mitre-entreprise-attack-malware.json Normal file
View file

File diff suppressed because it is too large Load diff

17277
clusters/mitre-entreprise-attack-relationship.json Normal file
View file

File diff suppressed because it is too large Load diff

527
clusters/mitre-entreprise-attack-tool.json Normal file
View file

@ -0,0 +1,527 @@
{
"name": "Entreprise Attack - Tool",
"type": "mitre-entreprise-attack-tool",
"description": "Name of ATT&CK software",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e",
"authors": [
"MITRE"
],
"values": [
{
"description": "at is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At)\n\nAliases: at, at.exe",
"value": "at",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
],
"synonyms": [
"at",
"at.exe"
]
},
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952"
},
{
"description": "route can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)\n\nAliases: route, route.exe",
"value": "route",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
],
"synonyms": [
"route",
"route.exe"
]
},
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de"
},
{
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)\n\nAliases: Tasklist",
"value": "Tasklist",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"synonyms": [
"Tasklist"
]
},
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
{
"description": "Windows Credential Editor is a password dumping tool. (Citation: Amplia WCE)\n\nAliases: Windows Credential Editor, WCE",
"value": "Windows Credential Editor",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
"http://www.ampliasecurity.com/research/wcefaq.html"
],
"synonyms": [
"Windows Credential Editor",
"WCE"
]
},
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
{
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)\n\nAliases: Responder",
"value": "Responder",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0174",
"https://github.com/SpiderLabs/Responder"
],
"synonyms": [
"Responder"
]
},
"uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719"
},
{
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)\n\nAliases: schtasks, schtasks.exe",
"value": "schtasks",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
],
"synonyms": [
"schtasks",
"schtasks.exe"
]
},
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
},
{
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)\n\nAliases: UACMe",
"value": "UACMe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
],
"synonyms": [
"UACMe"
]
},
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
},
{
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)\n\nAliases: ifconfig",
"value": "ifconfig",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"synonyms": [
"ifconfig"
]
},
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
},
{
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)\n\nAliases: Mimikatz\n\nContributors: Vincent Le Toux",
"value": "Mimikatz",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
"https://github.com/gentilkiwi/mimikatz",
"https://adsecurity.org/?page%20id=1821"
],
"synonyms": [
"Mimikatz"
]
},
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
{
"description": " (Citation: xCmd) is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. (Citation: xCmd)\n\nAliases: (Citation: xCmd)",
"value": "xCmd",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
],
"synonyms": [
"xCmd"
]
},
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
},
{
"description": "is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)\n\nAliases: MimiPenguin\n\nContributors: Vincent Le Toux",
"value": "MimiPenguin",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0179",
"https://github.com/huntergregal/mimipenguin"
],
"synonyms": [
"MimiPenguin"
]
},
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27"
},
{
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)\n\nAliases: Systeminfo, systeminfo.exe",
"value": "Systeminfo",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"synonyms": [
"Systeminfo",
"systeminfo.exe"
]
},
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
{
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)\n\nAliases: netsh, netsh.exe",
"value": "netsh",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
],
"synonyms": [
"netsh",
"netsh.exe"
]
},
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
{
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"value": "dsquery",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
],
"synonyms": [
"dsquery",
"dsquery.exe"
]
},
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe"
},
{
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)\n\nAliases: gsecdump",
"value": "gsecdump",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
"https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump%20v2.0b5"
],
"synonyms": [
"gsecdump"
]
},
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
{
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)\n\nAliases: Ping, ping.exe",
"value": "Ping",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"synonyms": [
"Ping",
"ping.exe"
]
},
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
},
{
"description": "Fgdump is a Windows password hash dumper. (Citation: Mandiant APT1)\n\nAliases: Fgdump",
"value": "Fgdump",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Fgdump"
]
},
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe"
},
{
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)\n\nAliases: Lslsass",
"value": "Lslsass",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Lslsass"
]
},
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
},
{
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)\n\nAliases: Pass-The-Hash Toolkit",
"value": "Pass-The-Hash Toolkit",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Pass-The-Hash Toolkit"
]
},
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
},
{
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)\n\nAliases: FTP, ftp.exe",
"value": "FTP",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
"https://en.wikipedia.org/wiki/File%20Transfer%20Protocol"
],
"synonyms": [
"FTP",
"ftp.exe"
]
},
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
},
{
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)\n\nAliases: ipconfig, ipconfig.exe",
"value": "ipconfig",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"synonyms": [
"ipconfig",
"ipconfig.exe"
]
},
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
{
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)\n\nAliases: nbtstat, nbtstat.exe",
"value": "nbtstat",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
],
"synonyms": [
"nbtstat",
"nbtstat.exe"
]
},
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea"
},
{
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"value": "HTRAN",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
],
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
]
},
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
},
{
"description": "Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)\n\nAliases: Tor",
"value": "Tor",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0183",
"http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf"
],
"synonyms": [
"Tor"
]
},
"uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68"
},
{
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)\n\nAliases: netstat, netstat.exe",
"value": "netstat",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"synonyms": [
"netstat",
"netstat.exe"
]
},
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
{
"description": "pwdump is a credential dumper. (Citation: Wikipedia pwdump)\n\nAliases: pwdump",
"value": "pwdump",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"synonyms": [
"pwdump"
]
},
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
},
{
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry. (Citation: Mandiant APT1)\n\nAliases: Cachedump",
"value": "Cachedump",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Cachedump"
]
},
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
},
{
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\nNet has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"value": "Net",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914",
"http://windowsitpro.com/windows/netexe-reference"
],
"synonyms": [
"Net",
"net.exe"
]
},
"uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
{
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)\n\nAliases: PsExec",
"value": "PsExec",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
],
"synonyms": [
"PsExec"
]
},
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
{
"description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)\n\nAliases: certutil, certutil.exe",
"value": "certutil",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0160",
"https://technet.microsoft.com/library/cc732443.aspx"
],
"synonyms": [
"certutil",
"certutil.exe"
]
},
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc"
},
{
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)\n\nAliases: Arp, arp.exe",
"value": "Arp",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
],
"synonyms": [
"Arp",
"arp.exe"
]
},
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252"
},
{
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)).\n\nAliases: cmd, cmd.exe",
"value": "cmd",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
"https://technet.microsoft.com/en-us/library/bb490880.aspx",
"https://technet.microsoft.com/en-us/library/cc755121.aspx",
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx"
],
"synonyms": [
"cmd",
"cmd.exe"
]
},
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
{
"description": "is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.\n\nAliases: meek",
"value": "meek",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0175"
],
"synonyms": [
"meek"
]
},
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830"
},
{
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as Reg are known to be used by persistent threats. (Citation: Windows Commands JPCERT)\n\nAliases: Reg, reg.exe",
"value": "Reg",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
],
"synonyms": [
"Reg",
"reg.exe"
]
},
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
{
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike",
"value": "Cobalt Strike",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0154",
"https://cobaltstrike.com/downloads/csmanual38.pdf"
],
"synonyms": [
"Cobalt Strike"
]
},
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39"
}
]
}

0
clusters/mitre_intrusion-set.json → clusters/mitre-intrusion-set.json
View file

0
clusters/mitre_malware.json → clusters/mitre-malware.json
View file

1216
clusters/mitre-mobile-attack-attack-pattern.json Normal file
View file

File diff suppressed because it is too large Load diff

83
clusters/mitre-mobile-attack-course-of-action.json Normal file
View file

@ -0,0 +1,83 @@
{
"name": "Mobile Attack - Course of Action",
"type": "mitre-mobile-attack-course-of-action",
"description": "ATT&CK Mitigation",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "03956f9e-1708-11e8-8395-976b24233e15",
"authors": [
"MITRE"
],
"values": [
{
"description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.",
"value": "Deploy Compromised Device Detection Method",
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433"
},
{
"description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
"value": "Interconnection Filtering",
"uuid": "e829ee51-1caf-4665-ba15-7f8979634124"
},
{
"description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.",
"value": "Use Device-Provided Credential Storage",
"uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c"
},
{
"description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.",
"value": "Use Recent OS Version",
"uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564"
},
{
"description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n* On Android devices, access can be controlled based on each device's security patch level.\n* On iOS devices, access can be controlled based on the iOS version.",
"value": "Security Updates",
"uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d"
},
{
"description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.",
"value": "Lock Bootloader",
"uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58"
},
{
"description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.",
"value": "System Partition Integrity",
"uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321"
},
{
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
"value": "Attestation",
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c"
},
{
"description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
"value": "Caution with Device Administrator Access",
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9"
},
{
"description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
"value": "Application Developer Guidance",
"uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1"
},
{
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as Detect App Analysis Environment exist that can enable adversaries to bypass vetting.",
"value": "Application Vetting",
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d"
},
{
"description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.",
"value": "User Guidance",
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1"
},
{
"description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.",
"value": "Enterprise Policy",
"uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee"
},
{
"description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.",
"value": "Encrypt Network Traffic",
"uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8"
}
]
}

37
clusters/mitre-mobile-attack-intrusion-set.json Normal file
View file

@ -0,0 +1,37 @@
{
"name": "Mobile Attack - intrusion Set",
"type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53",
"authors": [
"MITRE"
],
"values": [
{
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28",
"meta": {
"synonyms": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
}
]
}

511
clusters/mitre-mobile-attack-malware.json Normal file
View file

@ -0,0 +1,511 @@
{
"name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f",
"authors": [
"MITRE"
],
"values": [
{
"description": "AndroRAT \"allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.\" (Citation: Lookout-EnterpriseApps)\n\nAliases: AndroRAT",
"value": "AndroRAT",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0008",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"synonyms": [
"AndroRAT"
]
},
"uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.Agent.ao",
"value": "Trojan-SMS.AndroidOS.Agent.ao",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0023",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.Agent.ao"
]
},
"uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17"
},
{
"description": "DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB (Citation: PaloAlto-DualToy).\n\nAliases: DualToy",
"value": "DualToy",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0031"
],
"synonyms": [
"DualToy"
]
},
"uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878"
},
{
"description": "On jailbroken iOS devices, (Citation: KeyRaider) steals Apple account credentials and other data. It \"also has built-in functionality to hold iOS devices for ransom.\" (Citation: KeyRaider)\n\nAliases: (Citation: KeyRaider)",
"value": "KeyRaider",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0004",
"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
],
"synonyms": [
"KeyRaider"
]
},
"uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50"
},
{
"description": "Brain Test is a family of Android malware described by CheckPoint (Citation: CheckPoint-BrainTest) and Lookout (Citation: Lookout-BrainTest).\n\nAliases: BrainTest",
"value": "BrainTest",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0009",
"http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/",
"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
],
"synonyms": [
"BrainTest"
]
},
"uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e"
},
{
"description": "Lookout states that some variants of the Shedun, Shuanet, and ShiftyBug/Kemoge Android malware families \"have 71 percent to 82 percent code similarity\" (Citation: Lookout-Adware), even though they \"dont believe these apps were all created by the same author or group\".\n\nAliases: Shedun, Shuanet, ShiftyBug, Kemoge",
"value": "Shedun",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0010",
"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
],
"synonyms": [
"Shedun",
"Shuanet",
"ShiftyBug",
"Kemoge"
]
},
"uuid": "c80a6bef-b3ce-44d0-b113-946e93124898"
},
{
"description": "Android malware family analyzed by Trend Micro (Citation: TrendMicro-DressCode)\n\nAliases: DressCode",
"value": "DressCode",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0016",
"http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
],
"synonyms": [
"DressCode"
]
},
"uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca"
},
{
"description": "Adups, software pre-installed onto Android devices including those made by BLU Products, reportedly transmitted sensitive data to a Chinese server. The capability was reportedly designed \"to help a Chinese phone manufacturer monitor user behavior\" and \"was not intended for American phones\". (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor).\n\nAliases: Adups",
"value": "Adups",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0025",
"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html",
"http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
],
"synonyms": [
"Adups"
]
},
"uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf"
},
{
"description": "Discovered by Lookout (Citation: Lookout-Pegasus) and Citizen Lab (Citation: PegasusCitizenLab), Pegasus escalates privileges on iOS devices and uses its privileged access to collect a variety of sensitive information.\n\nAliases: Pegasus",
"value": "Pegasus",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0005",
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf",
"https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
],
"synonyms": [
"Pegasus"
]
},
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a"
},
{
"description": "RuMMS is a family of Android malware (Citation: FireEye-RuMMS).\n\nAliases: RuMMS",
"value": "RuMMS",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0029",
"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
],
"synonyms": [
"RuMMS"
]
},
"uuid": "936be60d-90eb-4c36-9247-4b31128432c4"
},
{
"description": "HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android (Citation: ArsTechnica-HummingBad).\n\nAliases: HummingBad",
"value": "HummingBad",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0038",
"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
],
"synonyms": [
"HummingBad"
]
},
"uuid": "c8770c81-c29f-40d2-a140-38544206b2b4"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.OpFake.a",
"value": "Trojan-SMS.AndroidOS.OpFake.a",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0024",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.OpFake.a"
]
},
"uuid": "d89c132d-7752-4c7f-9372-954a71522985"
},
{
"description": "Android malware family analyzed by Lookout (Citation: Lookout-Dendroid).\n\nAliases: Dendroid",
"value": "Dendroid",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0017",
"https://blog.lookout.com/blog/2014/03/06/dendroid/"
],
"synonyms": [
"Dendroid"
]
},
"uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e"
},
{
"description": "Android malware analyzed by Scandinavian security group CSIS as described in a Tripwire post (Citation: Tripwire-MazarBOT).\n\nAliases: MazarBOT",
"value": "MazarBOT",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0019",
"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
],
"synonyms": [
"MazarBOT"
]
},
"uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9"
},
{
"description": "The (Citation: Gooligan) malware family, revealed by Check Point, runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal \"authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.\" (Citation: Gooligan)\n\nGoogle (Citation: Ludwig-GhostPush) and LookoutLookout- (Citation: Gooligan) describe (Citation: Gooligan) as part of the Ghost Push Android malware family.\n\nAliases: (Citation: Gooligan)",
"value": "Gooligan",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0006",
"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/",
"https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"
],
"synonyms": [
"Gooligan"
]
},
"uuid": "20d56cd6-8dff-4871-9889-d32d254816de"
},
{
"description": "OldBoot is a family of Android malware described in a report from The Hacker News (Citation: HackerNews-OldBoot).\n\nAliases: OldBoot",
"value": "OldBoot",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0001",
"http://thehackernews.com/2014/01/first-widely-distributed-android.html"
],
"synonyms": [
"OldBoot"
]
},
"uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc"
},
{
"description": "WireLurker is a family of macOS malware that targets iOS devices connected over USB (Citation: PaloAlto-WireLurker).\n\nAliases: WireLurker",
"value": "WireLurker",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0028"
],
"synonyms": [
"WireLurker"
]
},
"uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb"
},
{
"description": "Android remote access trojan (RAT) that has been observed to pose as legitimate applications including the Super Mario Run (Citation: Zscaler-SuperMarioRun) and Pokemon GO games (Citation: Proofpoint-Droidjack).\n\nAliases: DroidJack RAT",
"value": "DroidJack RAT",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0036",
"https://www.zscaler.com/blogs/research/super-mario-run-malware-2--droidjack-rat",
"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
],
"synonyms": [
"DroidJack RAT"
]
},
"uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1"
},
{
"description": "The HummingWhale Android malware family \"includes new virtual machine techniques that allow the malware to perform ad fraud better than ever\". (Citation: ArsTechnica-HummingWhale)\n\nAliases: HummingWhale",
"value": "HummingWhale",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0037",
"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
],
"synonyms": [
"HummingWhale"
]
},
"uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f"
},
{
"description": "ANDROIDOS_ANSERVER.A is Android malware novel for using encrypted content within a blog site for command and control (Citation: TrendMicro-Anserver).\n\nAliases: ANDROIDOS_ANSERVER.A",
"value": "ANDROIDOS_ANSERVER.A",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0026",
"http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
],
"synonyms": [
"ANDROIDOS_ANSERVER.A"
]
},
"uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.FakeInst.a",
"value": "Trojan-SMS.AndroidOS.FakeInst.a",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0022",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.FakeInst.a"
]
},
"uuid": "28e39395-91e7-4f02-b694-5e079c964da9"
},
{
"description": "Android malware family analyzed by Lookout (Citation: Lookout-NotCompatible)\n\nAliases: NotCompatible",
"value": "NotCompatible",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0015",
"https://blog.lookout.com/blog/2014/11/19/notcompatible/"
],
"synonyms": [
"NotCompatible"
]
},
"uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe"
},
{
"description": "The X-Agent Android malware was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data for where it was used and hence the potential location of Ukrainian artillery (Citation: CrowdStrike-Android).\n\nAliases: X-Agent",
"value": "X-Agent",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0030",
"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
],
"synonyms": [
"X-Agent"
]
},
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c"
},
{
"description": "Twitoor is a family of Android malware described by ESET (Citation: ESET-Twitoor).\n\nAliases: Twitoor",
"value": "Twitoor",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0018",
"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
],
"synonyms": [
"Twitoor"
]
},
"uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c"
},
{
"description": "OBAD is a family of Android malware (Citation: TrendMicro-Obad).\n\nAliases: OBAD",
"value": "OBAD",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0002",
"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
],
"synonyms": [
"OBAD"
]
},
"uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde"
},
{
"description": "As reported by Kaspersky (Citation: Kaspersky-WUC), a spear phishing message was sent to activist groups containing a malicious Android application as an attachment.\n\nAliases: Android/Chuli.A",
"value": "Android/Chuli.A",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0020",
"https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
],
"synonyms": [
"Android/Chuli.A"
]
},
"uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533"
},
{
"description": "According to Lookout (Citation: Lookout-EnterpriseApps), the PJApps Android malware family \"may collect and leak the victims phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.\"\n\nAliases: PJApps",
"value": "PJApps",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0007",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"synonyms": [
"PJApps"
]
},
"uuid": "c709da93-20c3-4d17-ab68-48cba76b2137"
},
{
"description": "Android malware analyzed by FireEye (Citation: FireEye-AndroidOverlay).\nAccording to their analysis, \"three campaigns in Europe used view overlay techniques...to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.\"\n\nAliases: AndroidOverlayMalware",
"value": "AndroidOverlayMalware",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0012",
"https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
],
"synonyms": [
"AndroidOverlayMalware"
]
},
"uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7"
},
{
"description": "As described by Palo Alto Networks (Citation: ZergHelper), the (Citation: ZergHelper) app uses techniques to evade Apple's App Store review process for itself and uses techniques to install additional applications that are not in Apple's App Store.\n\nAliases: (Citation: ZergHelper)",
"value": "ZergHelper",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0003",
"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
],
"synonyms": [
"ZergHelper"
]
},
"uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0"
},
{
"description": "SpyNote RAT (Citation: Zscaler-SpyNote) (Remote Access Trojan) is a family of malicious Android apps. The \"SpyNote RAT builder\" tool can be used to develop malicious apps with the SpyNote RAT functionality.\n\nAliases: SpyNote RAT",
"value": "SpyNote RAT",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0021",
"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
],
"synonyms": [
"SpyNote RAT"
]
},
"uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23"
},
{
"description": " (Citation: RCSAndroid) (Citation: RCSAndroid) is Android malware allegedly distributed by Hacking Team.\n\nAliases: (Citation: RCSAndroid)",
"value": "RCSAndroid",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0011",
"https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
],
"synonyms": [
"RCSAndroid"
]
},
"uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b"
},
{
"description": "The Charger Android malware steals \"steals contacts and SMS messages from the user's device\". It also \"asks for admin permissions\" and \"[i]f granted, the ransomware locks the device and displays a message demanding payment\". (Citation: CheckPoint-Charger)\n\nAliases: Charger",
"value": "Charger",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0039",
"http://blog.checkpoint.com/2017/01/24/charger-malware/"
],
"synonyms": [
"Charger"
]
},
"uuid": "d1c600f8-0fb6-4367-921b-85b71947d950"
},
{
"description": "iOS malware that \"is different from previous seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices\" and \"abuses private APIs in the iOS system to implement malicious functionalities\" (Citation: PaloAlto-YiSpecter).\n\nAliases: YiSpecter",
"value": "YiSpecter",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0027"
],
"synonyms": [
"YiSpecter"
]
},
"uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9"
},
{
"description": "Discovered and analyzed by Lookout (Citation: Lookout-PegasusAndroid) and Google (Citation: Google-Chrysaor), Pegasus for Android (also known as Chrysaor) is spyware that was used in targeted attacks. Pegasus for Android does not use zero day vulnerabilities. It attempts to escalate privileges using well-known vulnerabilities, and even if the attempts fail, it still performs some subset of spyware functions that do not require escalated privileges.\n\nAliases: Pegasus for Android, Chrysaor",
"value": "Pegasus for Android",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0032",
"https://blog.lookout.com/blog/2017/04/03/pegasus-android/",
"https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
],
"synonyms": [
"Pegasus for Android",
"Chrysaor"
]
},
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c"
},
{
"description": "iOS malware analyzed by Palo Alto Networks (Citation: (Citation: PaloAlto-XcodeGhost)1) (Citation: PaloAlto-XcodeGhost)\n\nAliases: XcodeGhost",
"value": "XcodeGhost",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0013",
"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/",
"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
],
"synonyms": [
"XcodeGhost"
]
},
"uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9"
}
]
}

1973
clusters/mitre-mobile-attack-relationship.json Normal file
View file

File diff suppressed because it is too large Load diff

27
clusters/mitre-mobile-attack-tool.json Normal file
View file

@ -0,0 +1,27 @@
{
"name": "Mobile Attack - Tool",
"type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "02cee87e-1708-11e8-8f15-8b33e4d6194b",
"authors": [
"MITRE"
],
"values": [
{
"description": "Xbot is a family of Android malware analyzed by Palo Alto Networks (Citation: PaloAlto-Xbot) that \"tries to steal victims' banking credentials and credit card information\", \"can also remotely lock infected Android devices, encrypt the user's files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom\" and \"will steal all SMS message and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.\"\n\nAliases: Xbot",
"value": "Xbot",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0014",
"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
],
"synonyms": [
"Xbot"
]
},
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4"
}
]
}

1743
clusters/mitre-pre-attack-attack-pattern.json Normal file
View file

File diff suppressed because it is too large Load diff

132
clusters/mitre-pre-attack-intrusion-set.json Normal file
View file

@ -0,0 +1,132 @@
{
"name": "Pre Attack - intrusion Set",
"type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f",
"authors": [
"MITRE"
],
"values": [
{
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)",
"value": "APT16",
"meta": {
"synonyms": [
"APT16"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
]
},
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70"
},
{
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28",
"meta": {
"synonyms": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
},
{
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)",
"value": "Cleaver",
"meta": {
"synonyms": [
"Cleaver",
"TG-2889",
"Threat Group 2889"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0003",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
]
},
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063"
},
{
"description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)",
"value": "APT12",
"meta": {
"synonyms": [
"APT12",
"IXESHE",
"DynCalc",
"Numbered Panda",
"DNSCALC"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
]
},
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
},
{
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1",
"meta": {
"synonyms": [
"APT1",
"Comment Crew",
"Comment Group",
"Comment Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
},
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662"
},
{
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)",
"value": "Night Dragon",
"meta": {
"synonyms": [
"Night Dragon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
]
},
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
},
{
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)",
"value": "APT17",
"meta": {
"synonyms": [
"APT17",
"Deputy Dog"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
]
},
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae"
}
]
}

925
clusters/mitre-pre-attack-relationship.json Normal file
View file

@ -0,0 +1,925 @@
{
"name": "Pre Attack - Relationship",
"type": "mitre-pre-attack-relationship",
"description": "MITRE Relationship",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "1ffd3108-1708-11e8-9f98-67b378d9094c",
"authors": [
"MITRE"
],
"values": [
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "58d0b955-ae3d-424a-a537-2804dab38793"
},
"uuid": "1eed277b-a2a7-43f9-bf12-6e30abf0841a",
"value": "APT28 uses Unconditional client-side exploitation/Injected Website/Driveby"
},
{
"meta": {
"source-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d",
"target-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33"
},
"uuid": "4a69750c-47d5-40f5-b753-c6bb2a27a359",
"value": "Friend/Follow/Connect to targets of interest related-to Friend/Follow/Connect to targets of interest"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "15ef4da5-3b93-4bb1-a39a-5396661956d3"
},
"uuid": "2b6a71e4-e5d5-41d2-a193-9a95c94dc924",
"value": "APT1 uses Build and configure delivery systems"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "57723021-1eb3-4bf2-86eb-fdbf8a1b8125",
"value": "Night Dragon uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92"
},
"uuid": "a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0",
"value": "Night Dragon uses Remote access tool development"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92"
},
"uuid": "307e24f8-4d7c-49a8-88f6-fb0a99fe8ff4",
"value": "APT16 uses Assess targeting options"
},
{
"meta": {
"source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc",
"target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc"
},
"uuid": "2dbdcf5e-af75-4f92-b4ad-942a06aab259",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "f4c5d1d9-8f0e-46f1-a9fa-f9a440926046"
},
"uuid": "9af7194c-1eea-4aef-bab1-49bd29be069c",
"value": "APT1 uses Confirmation of launched compromise achieved"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "89a79d91-53e0-4ef5-ba28-558cb8b01f76"
},
"uuid": "f6dd74d9-ed02-4fe4-aff6-9ef25906592f",
"value": "Night Dragon uses Identify groups/roles"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "271e6d40-e191-421a-8f87-a8102452c201"
},
"uuid": "614f64d8-c221-4789-b1e1-787e9326a37b",
"value": "APT17 uses Develop social network persona digital footprint"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "84943231-1b44-4029-ae09-0dbf05440bef",
"value": "APT1 uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "d3999268-740f-467e-a075-c82e2d04be62"
},
"uuid": "51d03816-347c-4716-9524-da99a58f5ea6",
"value": "APT1 uses Assess leadership areas of interest"
},
{
"meta": {
"source-uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1"
},
"uuid": "ad510f42-e745-42d0-8b54-4bf7a2f3cf34",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
},
"uuid": "ab356c7a-6922-4143-90eb-5be632e2f6cd",
"value": "Cleaver uses Build social network persona"
},
{
"meta": {
"source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84",
"target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407"
},
"uuid": "ab313887-ff00-4aa9-8edb-ab107c517c19",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "edb31962-2310-4618-bd4f-d34f8e7d58e8",
"value": "APT16 uses Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "286cc500-4291-45c2-99a1-e760db176402"
},
"uuid": "0adf353d-688b-46ce-88bb-62a008675fe0",
"value": "Night Dragon uses Acquire and/or use 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64"
},
"uuid": "e95ea206-3962-43af-aac1-042ac9928679",
"value": "Night Dragon uses Identify gap areas"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234"
},
"uuid": "b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb",
"value": "Cleaver uses Create custom payloads"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "c860af4a-376e-46d7-afbf-262c41012227"
},
"uuid": "26bf68a4-af3c-4d39-bad3-5f0ce824f4a3",
"value": "APT28 uses Determine operational element"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "45242287-2964-4a3e-9373-159fad4d8195"
},
"uuid": "3d65fc7e-87a5-4113-bd9c-09453fba4d1e",
"value": "APT28 uses Buy domain name"
},
{
"meta": {
"source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84"
},
"uuid": "22d4f32c-63c1-400f-8e2c-10e4a200d133",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a",
"target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549"
},
"uuid": "ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80",
"value": "Identify business relationships related-to Identify business relationships"
},
{
"meta": {
"source-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549",
"target-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a"
},
"uuid": "9524754d-7743-47b3-8395-3cbfb633c020",
"value": "Identify business relationships related-to Identify business relationships"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "271e6d40-e191-421a-8f87-a8102452c201"
},
"uuid": "d26a1746-b577-4a89-be5e-c49611e8c65a",
"value": "Cleaver uses Develop social network persona digital footprint"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93"
},
"uuid": "f43faad4-a016-4da0-8de6-53103d429268",
"value": "Cleaver uses Obfuscation or cryptography"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c"
},
"uuid": "0e7905fd-77c8-43cb-b499-7d6e37fefbeb",
"value": "APT1 uses Dynamic DNS"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "b79a1960-d0be-4b51-bb62-b27e91e1dea0"
},
"uuid": "3f8694fa-8e16-465b-8357-ec0a85316e9c",
"value": "Cleaver uses Conduct social engineering or HUMINT operation"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39"
},
"uuid": "9c87b627-de61-42da-a658-7bdb33358754",
"value": "APT17 uses Obfuscate infrastructure"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234"
},
"uuid": "6d809b32-a5db-4e1e-bea6-ef29a2c680e5",
"value": "APT28 uses Create custom payloads"
},
{
"meta": {
"source-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c",
"target-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe"
},
"uuid": "f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd",
"value": "Dynamic DNS related-to Dynamic DNS"
},
{
"meta": {
"source-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe",
"target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c"
},
"uuid": "94daf955-fb3e-4f13-af60-0e3ffa185be0",
"value": "Dynamic DNS related-to Dynamic DNS"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
},
"uuid": "545cd36e-572e-413d-82b9-db65788791f9",
"value": "APT17 uses Build social network persona"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
},
"uuid": "8a2c46d3-92f2-4ff7-a912-8d47189a7d79",
"value": "APT1 uses Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b",
"target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88"
},
"uuid": "60b6c9a6-7705-4c72-93bb-67de0caf11f4",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"target-uuid": "78e41091-d10d-4001-b202-89612892b6ff"
},
"uuid": "9c44b2ec-70b0-4f5c-800e-426477330658",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b",
"target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077"
},
"uuid": "bc165934-7ef6-4aed-a0d7-81d3372589f4",
"value": "Compromise 3rd party infrastructure to support delivery related-to Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "288b3cc3-f4da-4250-ab8c-d8b5dbed94ca"
},
"uuid": "643d984b-0c82-4e14-8ba9-1b8dec0c91e2",
"value": "APT28 uses Identify web defensive services"
},
{
"meta": {
"source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc",
"target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41"
},
"uuid": "715a66b4-7925-40b4-868a-e47aba879f8b",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a",
"target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88"
},
"uuid": "28bf7e8b-9948-40a8-945b-6b5f2c78ec53",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
},
"uuid": "2b0ec032-eaca-4f0c-be55-39471f0f2bf5",
"value": "APT1 uses Obtain/re-use payloads"
},
{
"meta": {
"source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b",
"target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a"
},
"uuid": "1143e6a6-deef-4dbd-8c91-7bf537d8f5ce",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "78e41091-d10d-4001-b202-89612892b6ff",
"target-uuid": "59369f72-3005-4e54-9095-3d00efcece73"
},
"uuid": "a29f2adc-c328-4cf3-9984-2c0c72ec7061",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "abd5bed1-4c12-45de-a623-ab8dc4ff862a"
},
"uuid": "eab3be4e-4130-4898-a7b6-d9e9eb34f2bd",
"value": "APT28 uses Research relevant vulnerabilities/CVEs"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
},
"uuid": "39db1df8-f786-480c-9faf-5b870de2250b",
"value": "APT1 uses Acquire and/or use 3rd party software services"
},
{
"meta": {
"source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88",
"target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a"
},
"uuid": "6ba71250-1dc7-4b8d-88e7-698440ea18a0",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "6238613d-8683-420d-baf7-6050aa27eb9d",
"value": "APT28 uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "286cc500-4291-45c2-99a1-e760db176402",
"target-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6"
},
"uuid": "5dc0b076-5f25-4bda-83c7-1d8bd214b81a",
"value": "Acquire and/or use 3rd party infrastructure services related-to Acquire and/or use 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"target-uuid": "59369f72-3005-4e54-9095-3d00efcece73"
},
"uuid": "7aaa32b6-73f3-4b6e-98ae-da16976e6003",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077"
},
"uuid": "cc22ab71-f2fc-4885-832b-e75dadeefa2d",
"value": "APT1 uses Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "60e79ac2-3dc1-4005-a1f8-260d58117dab",
"value": "APT28 uses Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "9a8c47f6-ae69-4044-917d-4b1602af64d9"
},
"uuid": "7da16587-3861-4404-9043-0076e4766ac4",
"value": "APT12 uses Choose pre-compromised persona and affiliated accounts"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "6cfc9229-9928-414e-bfaf-f63e815b4c84",
"value": "APT28 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05",
"target-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f"
},
"uuid": "a7f177e4-7e7f-4883-af3d-c95db9ea7a53",
"value": "Determine 3rd party infrastructure services related-to Determine 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
},
"uuid": "515e7665-040c-44ac-a379-44d4399d6e2b",
"value": "Cleaver uses Obtain/re-use payloads"
},
{
"meta": {
"source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc"
},
"uuid": "b180dee5-0d48-448f-94b9-4997f0c584d5",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077",
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
},
"uuid": "28815a00-1cf4-4fbc-9039-306a9542c7fd",
"value": "Compromise 3rd party infrastructure to support delivery related-to Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84",
"target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1"
},
"uuid": "8bcaccd1-403b-40f1-82d3-ac4d873263f8",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957"
},
"uuid": "5aab758c-79d2-4219-9053-f50791d98531",
"value": "APT28 uses Discover target logon/email address format"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6"
},
"uuid": "b55534ba-37ce-47f2-a961-edeaeedcb399",
"value": "APT12 uses Obfuscate infrastructure"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
},
"uuid": "709bb5af-c484-48f2-bb19-bd7630e42e2d",
"value": "APT28 uses Obtain/re-use payloads"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "4e06cf53-00b1-46a6-a6b6-8e33e761b83f",
"value": "APT12 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "89754a0d-03b1-44e3-94c5-7a892d171a28",
"value": "APT17 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5"
},
"uuid": "984d13eb-ba9c-4e7c-8675-85dde9877a81",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "d3999268-740f-467e-a075-c82e2d04be62"
},
"uuid": "2daad934-bf08-4a2f-b656-4f7d197eb8fa",
"value": "APT28 uses Assess leadership areas of interest"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "1895866a-4689-4527-8460-95e9cd7dd037",
"value": "APT12 uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5",
"target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1"
},
"uuid": "51c20b46-16cc-4b58-80d7-89d48b14b064",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"target-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59"
},
"uuid": "fe31fa7c-be01-47ca-90bb-0fb49b49eb03",
"value": "Acquire or compromise 3rd party signing certificates related-to Acquire or compromise 3rd party signing certificates"
},
{
"meta": {
"source-uuid": "59369f72-3005-4e54-9095-3d00efcece73",
"target-uuid": "78e41091-d10d-4001-b202-89612892b6ff"
},
"uuid": "432c700b-4bf3-4824-a530-a6e86882c4b7",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1"
},
"uuid": "ef32147c-d309-4867-aaba-998088290e32",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
},
"uuid": "f8559304-7ef6-4c48-8d76-a56ebf37c0be",
"value": "APT16 uses Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a"
},
"uuid": "3d3eb711-5054-4b32-8006-15ba67d3bb25",
"value": "APT1 uses Procure required equipment and software"
},
{
"meta": {
"source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1",
"target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407"
},
"uuid": "689ebb39-52f4-4b2f-8678-72cfed67cb9f",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc"
},
"uuid": "36990d75-9fbd-43f0-9966-ae58f0388e1d",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6",
"target-uuid": "286cc500-4291-45c2-99a1-e760db176402"
},
"uuid": "9a1f729c-72a9-4735-9d48-ecb54ea018a9",
"value": "Acquire and/or use 3rd party infrastructure services related-to Acquire and/or use 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1"
},
"uuid": "7c68bb22-457e-4942-9e07-36f6cd5ac5ba",
"value": "APT1 uses Targeted social media phishing"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa"
},
"uuid": "75c781d7-f9ef-42c8-b610-0dc1ecb3b350",
"value": "Cleaver uses Authorized user performs requested cyber action"
},
{
"meta": {
"source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc"
},
"uuid": "d5bd7a33-a249-46e5-bb19-a498eba42bdb",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904"
},
"uuid": "8a2549fa-9e7c-4d47-9678-8ed0bb8fa3aa",
"value": "APT1 uses Derive intelligence requirements"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa"
},
"uuid": "0f97c2ae-2b89-4dd5-a270-42b1dcb5d403",
"value": "APT1 uses Authorized user performs requested cyber action"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "c90a4d6a-af21-4103-ba57-3ddeb6e973e7",
"value": "APT16 uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "c860af4a-376e-46d7-afbf-262c41012227"
},
"uuid": "eca0f05c-5025-4149-9826-3715cc243180",
"value": "Cleaver uses Determine operational element"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64"
},
"uuid": "683d4e44-f763-492c-b510-fa469a923798",
"value": "APT12 uses Identify gap areas"
},
{
"meta": {
"source-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39",
"target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6"
},
"uuid": "db4dfa09-7f19-437a-9d79-15f2dc8ba0da",
"value": "Obfuscate infrastructure related-to Obfuscate infrastructure"
},
{
"meta": {
"source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1",
"target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84"
},
"uuid": "bbb1c074-a93a-4e40-b11e-2151403f7f1d",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "0e52753e-0a02-4bec-88f9-f8ee21b46bae",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "3c7c0851-1cf8-458f-862d-4e4827f8f474",
"value": "Cleaver uses Determine strategic target"
},
{
"meta": {
"source-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59",
"target-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983"
},
"uuid": "c388ed7c-3820-41a3-98af-a48dd7e4d88b",
"value": "Acquire or compromise 3rd party signing certificates related-to Acquire or compromise 3rd party signing certificates"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
},
"uuid": "34ba5998-4e43-4669-9701-1877aa267354",
"value": "APT1 uses Build social network persona"
},
{
"meta": {
"source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1",
"target-uuid": "af358cad-eb71-4e91-a752-236edc237dae"
},
"uuid": "f8504a07-758c-4c51-ac94-c2e7ba652e29",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "78e41091-d10d-4001-b202-89612892b6ff",
"target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c"
},
"uuid": "9ad9966d-4a8d-4b15-b503-c5d27104fcdd",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f",
"target-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05"
},
"uuid": "e4501560-7850-4467-8422-2cf336429e8a",
"value": "Determine 3rd party infrastructure services related-to Determine 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1",
"target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5"
},
"uuid": "66e4da4a-6eb6-46e0-9baf-74059f341b4a",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6",
"target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39"
},
"uuid": "41be9f31-9d2b-44b8-a7dc-31f8c4519751",
"value": "Obfuscate infrastructure related-to Obfuscate infrastructure"
},
{
"meta": {
"source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "be031f72-737b-4afd-b2c1-c565f5ab7369",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7"
},
"uuid": "90d7f0f0-6e41-431a-a024-9375cbc18d2b",
"value": "APT1 uses Post compromise tool development"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "e60a165e-cfad-43e5-ba83-ea2430a377c5",
"value": "APT16 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "a071fc8f-6323-420b-9812-b51f12fc7956",
"value": "Night Dragon uses Determine strategic target"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0"
},
"uuid": "970531a2-4927-41a3-b2cd-09d445322f51",
"value": "APT1 uses Create strategic plan"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4"
},
"uuid": "c2571ca8-98c4-490d-b8f8-f3678b0ce74d",
"value": "Night Dragon uses Compromise of externally facing system"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc"
},
"uuid": "e78023e7-98de-4973-9331-843bfa28c9f7",
"value": "APT1 uses Spear phishing messages with malicious links"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2"
},
"uuid": "f76d74b6-c797-487c-8388-536367d1b922",
"value": "APT1 uses Obfuscate or encrypt code"
},
{
"meta": {
"source-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33",
"target-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d"
},
"uuid": "87239038-7693-49b3-b595-b828cc2be1ba",
"value": "Friend/Follow/Connect to targets of interest related-to Friend/Follow/Connect to targets of interest"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
},
"uuid": "c6e43693-2a6d-4ba8-8fa7-ec1ab5239528",
"value": "Night Dragon uses Acquire and/or use 3rd party software services"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "5ed44a06-bcb4-4293-8bf4-aaebefddc09c",
"value": "APT1 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a"
},
"uuid": "db10491f-a854-4404-9271-600349484bc3",
"value": "APT1 uses Domain registration hijacking"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549"
},
"uuid": "4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2",
"value": "APT16 uses Identify business relationships"
},
{
"meta": {
"source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41"
},
"uuid": "7bd3d2ba-f114-4835-97b6-1c3e2208d3f3",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6",
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
},
"uuid": "2bf984b5-1a48-4d9a-a4f2-e97801254b84",
"value": "Acquire and/or use 3rd party software services related-to Acquire and/or use 3rd party software services"
},
{
"meta": {
"source-uuid": "59369f72-3005-4e54-9095-3d00efcece73",
"target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c"
},
"uuid": "c124f0ba-f4bc-430a-b40c-eebe0577f812",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "1a295f87-af63-4d94-b130-039d6221fb11",
"target-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6"
},
"uuid": "3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267",
"value": "Acquire and/or use 3rd party software services related-to Acquire and/or use 3rd party software services"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957"
},
"uuid": "597be8e7-58a4-4aff-a803-48a7a08164a2",
"value": "APT16 uses Discover target logon/email address format"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7"
},
"uuid": "7a254f4d-c7cf-4b98-94e9-3937785b7d68",
"value": "APT12 uses Post compromise tool development"
},
{
"meta": {
"source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5",
"target-uuid": "af358cad-eb71-4e91-a752-236edc237dae"
},
"uuid": "46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb",
"value": "Conduct social engineering related-to Conduct social engineering"
}
]
}

0
clusters/mitre_tool.json → clusters/mitre-tool.json
View file

9
clusters/ransomware.json
View file

@ -5023,7 +5023,8 @@
".0000",
".XZZX",
".TEST",
".WORK"
".WORK",
".SYSTEM"
],
"ransomnotes": [
"HELP_YOUR_FILES.html (CryptXXX)",
@ -5036,7 +5037,8 @@
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
"Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number"
"Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number"
],
"refs": [
"http://www.nyxbone.com/malware/CryptoMix.html",
@ -5046,7 +5048,8 @@
"https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/"
"https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/"
]
}
},

0
galaxies/mitre_attack-pattern.json → galaxies/mitre-attack-pattern.json
View file

0
galaxies/mitre_course-of-action.json → galaxies/mitre-course-of-action.json
View file

8
galaxies/mitre-entreprise-attack-attack-pattern.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Attack Pattern",
"type": "mitre-entreprise-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"version": 1,
"icon": "map"
}

8
galaxies/mitre-entreprise-attack-course-of-action.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Course of Action",
"type": "mitre-entreprise-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982",
"version": 1,
"icon": "chain"
}

8
galaxies/mitre-entreprise-attack-intrusion-set.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack -Intrusion Set",
"type": "mitre-entreprise-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee",
"version": 1,
"icon": "user-secret"
}

8
galaxies/mitre-entreprise-attack-malware.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Malware",
"type": "mitre-entreprise-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a",
"version": 1,
"icon": "optin-monster"
}

8
galaxies/mitre-entreprise-attack-relationship.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Relationship",
"type": "mitre-entreprise-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc404638-1707-11e8-a5cf-b78b9b562766",
"version": 1,
"icon": "link"
}

8
galaxies/mitre-entreprise-attack-tool.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Tool",
"type": "mitre-entreprise-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3",
"version": 1,
"icon": "gavel"
}

0
galaxies/mitre_intrusion-set.json → galaxies/mitre-intrusion-set.json
View file

0
galaxies/mitre_malware.json → galaxies/mitre-malware.json
View file

8
galaxies/mitre-mobile-attack-attack-pattern.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Attack Pattern",
"type": "mitre-mobile-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5",
"version": 1,
"icon": "map"
}

8
galaxies/mitre-mobile-attack-course-of-action.json Normal file
View file

@ -0,0 +1,8 @@
{
"uuid": "0282356a-1708-11e8-8f53-975633d5c03c",
"description": "ATT&CK Mitigation",
"version": 1,
"icon": "chain",
"type": "mitre-mobile-attack-course-of-action",
"name": "Mobile Attack - Course of Action"
}

8
galaxies/mitre-mobile-attack-intrusion-set.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Intrusion Set",
"type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62",
"version": 1,
"icon": "user-secret"
}

8
galaxies/mitre-mobile-attack-malware.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18",
"version": 1,
"icon": "optin-monster"
}

8
galaxies/mitre-mobile-attack-relationship.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Relationship",
"type": "mitre-mobile-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede",
"version": 1,
"icon": "link"
}

8
galaxies/mitre-mobile-attack-tool.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Tool",
"type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91",
"version": 1,
"icon": "gavel"
}

8
galaxies/mitre-pre-attack-attack-pattern.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Pre Attack - Attack Pattern",
"type": "mitre-pre-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1f665850-1708-11e8-9cfe-4792b2a91402",
"version": 1,
"icon": "map"
}

8
galaxies/mitre-pre-attack-intrusion-set.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Pre Attack - Intrusion Set",
"type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e",
"version": 1,
"icon": "user-secret"
}

8
galaxies/mitre-pre-attack-relationship.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "Pre Attack - Relationship",
"type": "mitre-pre-attack-relashipship",
"description": "Mitre Relationship",
"uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae",
"version": 1,
"icon": "link"
}

0
galaxies/mitre_tool.json → galaxies/mitre-tool.json
View file

0
tools/mitre-cti/create_attack-pattern_galaxy.py → tools/mitre-cti/v1.0/create_attack-pattern_galaxy.py
View file

0
tools/mitre-cti/create_course-of-action_galaxy.py → tools/mitre-cti/v1.0/create_course-of-action_galaxy.py
View file

0
tools/mitre-cti/create_intrusion-set_galaxy.py → tools/mitre-cti/v1.0/create_intrusion-set_galaxy.py
View file

0
tools/mitre-cti/create_malware_galaxy.py → tools/mitre-cti/v1.0/create_malware_galaxy.py
View file

0
tools/mitre-cti/create_tool_galaxy.py → tools/mitre-cti/v1.0/create_tool_galaxy.py
View file

60
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-attack-pattern_galaxy.py Normal file
View file

@ -0,0 +1,60 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s attack-patterns\nMust be in the mitre/cti/entreprise-attack/attack-pattern folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:
value['meta']['mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {}
galaxy['name'] = "Entreprise Attack - Attack Pattern"
galaxy['type'] = "mitre-entreprise-attack-attack-pattern"
galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "fa7016a8-1707-11e8-82d0-1b73d76eb204"
galaxy['version'] = args.version
galaxy['icon'] = "map"
cluster = {}
cluster['name'] = "Entreprise Attack - Attack Pattern"
cluster['type'] = "mitre-entreprise-attack-attack-pattern"
cluster['description'] = "ATT&CK tactic"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fb2242d8-1707-11e8-ab20-6fa7448c3640"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-attack-pattern.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-attack-pattern.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

51
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-course-of-action_galaxy.py Normal file
View file

@ -0,0 +1,51 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s courses-of-action.\nMust be in the mitre/cti/entreprise-attack/course-of-action folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack - Course of Action"
galaxy['type'] = "mitre-entreprise-attack-course-of-action"
galaxy['description'] = "ATT&CK Mitigation"
galaxy['uuid' ] = "fb5a36c0-1707-11e8-81f5-d732b22a4982"
galaxy['version'] = args.version
galaxy['icon'] = "chain"
cluster = {}
cluster['name'] = "Entreprise Attack - Course of Action"
cluster['type'] = "mitre-entreprise-attack-course-of-action"
cluster['description'] = "ATT&CK Mitigation"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fb870a6a-1707-11e8-b548-17523e4d0670"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-course-of-action.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-course-of-action.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

57
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-intrusion-set_galaxy.py Normal file
View file

@ -0,0 +1,57 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/entreprise-attack/intrusion-set folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack -Intrusion Set"
galaxy['type'] = "mitre-entreprise-attack-intrusion-set"
galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "1f3b8c56-1708-11e8-b211-17a60c0f73ee"
galaxy['version'] = args.version
galaxy['icon'] = "user-secret"
cluster = {}
cluster['name'] = "Entreprise Attack -intrusion Set"
cluster['type'] = "mitre-entreprise-attack-intrusion-set"
cluster['description'] = "Name of ATT&CK Group"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "01f18402-1708-11e8-ac1c-1ffb3c4a7775"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-intrusion-set.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-intrusion-set.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

58
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-malware_galaxy.py Normal file
View file

@ -0,0 +1,58 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s malwares\nMust be in the mitre/cti/entreprise-attack/malware folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack - Malware"
galaxy['type'] = "mitre-entreprise-attack-malware"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "fbb19af0-1707-11e8-9fd6-dbd88a04d33a"
galaxy['version'] = args.version
galaxy['icon'] = "optin-monster"
cluster = {}
cluster['name'] = "Entreprise Attack - Malware"
cluster['type'] = "mitre-entreprise-attack-malware"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fbd79f02-1707-11e8-b1c7-87406102276a"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-malware.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-malware.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

100
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-relationship_galaxy.py Normal file
View file

@ -0,0 +1,100 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/entreprise-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
path = "relationship/"
for element in os.listdir(path):
with open(path+element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
source = temp['source_ref']
target = temp['target_ref']
relationship = temp['relationship_type']
if source.startswith('attack-pattern'):
paths = "attack-pattern/"
elif source.startswith('course-of-action'):
paths = "course-of-action/"
elif source.startswith('identity'):
paths = "identity/"
elif source.startswith('intrusion-set'):
paths = "intrusion-set/"
elif source.startswith('malware'):
paths = "malware/"
elif source.startswith('marking-definition'):
paths = "marking-definition/"
elif source.startswith('tool'):
paths = "tool/"
else:
print('Invalid value')
continue
with open(paths+source+'.json') as json_data:
s = json.load(json_data)
json_data.close()
if target.startswith('attack-pattern'):
patht = "attack-pattern/"
elif target.startswith('course-of-action'):
patht = "course-of-action/"
elif target.startswith('identity'):
patht = "identity/"
elif target.startswith('intrusion-set'):
patht = "intrusion-set/"
elif target.startswith('malware'):
patht = "malware/"
elif target.startswith('marking-definition'):
patht = "marking-definition/"
elif target.startswith('tool'):
patht = "tool/"
else:
print('Invalid value')
continue
with open(patht+target+'.json') as json_data:
t = json.load(json_data)
json_data.close()
value = {}
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack - Relationship"
galaxy['type'] = "mitre-entreprise-attack-relationship"
galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "fc404638-1707-11e8-a5cf-b78b9b562766"
galaxy['version'] = args.version
galaxy['icon'] = "link"
cluster = {}
cluster['name'] = "Entreprise Attack - Relationship"
cluster['type'] = "mitre-entreprise-attack-relationship"
cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fc605f90-1707-11e8-9d6a-9f165ac2ab5c"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

58
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-tool_galaxy.py Normal file
View file

@ -0,0 +1,58 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s tools\nMust be in the mitre/cti/entreprise-attack/tool folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack - Tool"
galaxy['type'] = "mitre-entreprise-attack-tool"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "fbfa0470-1707-11e8-be22-eb46b373fdd3"
galaxy['version'] = args.version
galaxy['icon'] = "gavel"
cluster = {}
cluster['name'] = "Entreprise Attack - Tool"
cluster['type'] = "mitre-entreprise-attack-tool"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fc1ea6e0-1707-11e8-ac05-2b70d00c354e"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-tool.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-tool.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

60
tools/mitre-cti/v2.0/create_mitre-mobile-attack-attack-pattern_galaxy.py Normal file
View file

@ -0,0 +1,60 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s attack-patterns\nMust be in the mitre/cti/mobile-attack/attack-pattern folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:
value['meta']['mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {}
galaxy['name'] = "Mobile Attack - Attack Pattern"
galaxy['type'] = "mitre-mobile-attack-attack-pattern"
galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "1c6d1332-1708-11e8-847c-e3c5643c41a5"
galaxy['version'] = args.version
galaxy['icon'] = "map"
cluster = {}
cluster['name'] = "Mobile Attack - Attack Pattern"
cluster['type'] = "mitre-mobile-attack-attack-pattern"
cluster['description'] = "ATT&CK tactic"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "1e606d06-1708-11e8-8a43-df11c8cf9ae2"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-attack-pattern.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-attack-pattern.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

51
tools/mitre-cti/v2.0/create_mitre-mobile-attack-course-of-action_galaxy.py Normal file
View file

@ -0,0 +1,51 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s courses-of-action.\nMust be in the mitre/cti/mobile-attack/course-of-action folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Course of Action"
galaxy['type'] = "mitre-mobile-attack-course-of-action"
galaxy['description'] = "ATT&CK Mitigation"
galaxy['uuid' ] = "0282356a-1708-11e8-8f53-975633d5c03c"
galaxy['version'] = args.version
galaxy['icon'] = "chain"
cluster = {}
cluster['name'] = "Mobile Attack - Course of Action"
cluster['type'] = "mitre-mobile-attack-course-of-action"
cluster['description'] = "ATT&CK Mitigation"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "03956f9e-1708-11e8-8395-976b24233e15"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-course-of-action.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-course-of-action.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

57
tools/mitre-cti/v2.0/create_mitre-mobile-attack-intrusion-set_galaxy.py Normal file
View file

@ -0,0 +1,57 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/mobile-attack/intrusion-set folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Intrusion Set"
galaxy['type'] = "mitre-mobile-attack-intrusion-set"
galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "0314e554-1708-11e8-b049-8f8a42b5bb62"
galaxy['version'] = args.version
galaxy['icon'] = "user-secret"
cluster = {}
cluster['name'] = "Mobile Attack - intrusion Set"
cluster['type'] = "mitre-mobile-attack-intrusion-set"
cluster['description'] = "Name of ATT&CK Group"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "02ab4018-1708-11e8-8f9d-e735aabdfa53"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-intrusion-set.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-intrusion-set.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

58
tools/mitre-cti/v2.0/create_mitre-mobile-attack-malware_galaxy.py Normal file
View file

@ -0,0 +1,58 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s malwares\nMust be in the mitre/cti/mobile-attack/malware folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Malware"
galaxy['type'] = "mitre-mobile-attack-malware"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "03e3853a-1708-11e8-95c1-67cf3f801a18"
galaxy['version'] = args.version
galaxy['icon'] = "optin-monster"
cluster = {}
cluster['name'] = "Mobile Attack - Malware"
cluster['type'] = "mitre-mobile-attack-malware"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "04a165aa-1708-11e8-b2da-c7d7625f4a4f"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-malware.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-malware.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

100
tools/mitre-cti/v2.0/create_mitre-mobile-attack-relationship_galaxy.py Normal file
View file

@ -0,0 +1,100 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/mobile-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
path = "relationship/"
for element in os.listdir(path):
with open(path+element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
source = temp['source_ref']
target = temp['target_ref']
relationship = temp['relationship_type']
if source.startswith('attack-pattern'):
paths = "attack-pattern/"
elif source.startswith('course-of-action'):
paths = "course-of-action/"
elif source.startswith('identity'):
paths = "identity/"
elif source.startswith('intrusion-set'):
paths = "intrusion-set/"
elif source.startswith('malware'):
paths = "malware/"
elif source.startswith('marking-definition'):
paths = "marking-definition/"
elif source.startswith('tool'):
paths = "tool/"
else:
print('Invalid value')
continue
with open(paths+source+'.json') as json_data:
s = json.load(json_data)
json_data.close()
if target.startswith('attack-pattern'):
patht = "attack-pattern/"
elif target.startswith('course-of-action'):
patht = "course-of-action/"
elif target.startswith('identity'):
patht = "identity/"
elif target.startswith('intrusion-set'):
patht = "intrusion-set/"
elif target.startswith('malware'):
patht = "malware/"
elif target.startswith('marking-definition'):
patht = "marking-definition/"
elif target.startswith('tool'):
patht = "tool/"
else:
print('Invalid value')
continue
with open(patht+target+'.json') as json_data:
t = json.load(json_data)
json_data.close()
value = {}
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Relationship"
galaxy['type'] = "mitre-mobile-attack-relationship"
galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "fc8471aa-1707-11e8-b306-33cbe96a1ede"
galaxy['version'] = args.version
galaxy['icon'] = "link"
cluster = {}
cluster['name'] = "Mobile Attack - Relationship"
cluster['type'] = "mitre-mobile-attack-relationship"
cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "02f1fc42-1708-11e8-a4f2-eb70472c5901"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

58
tools/mitre-cti/v2.0/create_mitre-mobile-attack-tool_galaxy.py Normal file
View file

@ -0,0 +1,58 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s tools\nMust be in the mitre/cti/mobile-attack/tool folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Tool"
galaxy['type'] = "mitre-mobile-attack-tool"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91"
galaxy['version'] = args.version
galaxy['icon'] = "gavel"
cluster = {}
cluster['name'] = "Mobile Attack - Tool"
cluster['type'] = "mitre-mobile-attack-tool"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "02cee87e-1708-11e8-8f15-8b33e4d6194b"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-tool.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-tool.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

60
tools/mitre-cti/v2.0/create_mitre-pre-attack-attack-pattern_galaxy.py Normal file
View file

@ -0,0 +1,60 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s attack-patterns\nMust be in the mitre/cti/pre-attack/attack-pattern folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:
value['meta']['mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {}
galaxy['name'] = "Pre Attack - Attack Pattern"
galaxy['type'] = "mitre-pre-attack-attack-pattern"
galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "1f665850-1708-11e8-9cfe-4792b2a91402"
galaxy['version'] = args.version
galaxy['icon'] = "map"
cluster = {}
cluster['name'] = "Pre Attack - Attack Pattern"
cluster['type'] = "mitre-pre-attack-attack-pattern"
cluster['description'] = "ATT&CK tactic"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "03c13bec-1708-11e8-92a0-a747c0787089"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-pre-attack-attack-pattern.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-pre-attack-attack-pattern.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

57
tools/mitre-cti/v2.0/create_mitre-pre-attack-intrusion-set_galaxy.py Normal file
View file

@ -0,0 +1,57 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/pre-attack/intrusion-set folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Pre Attack - Intrusion Set"
galaxy['type'] = "mitre-pre-attack-intrusion-set"
galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e"
galaxy['version'] = args.version
galaxy['icon'] = "user-secret"
cluster = {}
cluster['name'] = "Pre Attack - intrusion Set"
cluster['type'] = "mitre-pre-attack-intrusion-set"
cluster['description'] = "Name of ATT&CK Group"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-pre-attack-intrusion-set.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-pre-attack-intrusion-set.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

100
tools/mitre-cti/v2.0/create_mitre-pre-attack-relationship_galaxy.py Normal file
View file

@ -0,0 +1,100 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/pre-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
path = "relationship/"
for element in os.listdir(path):
with open(path+element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
source = temp['source_ref']
target = temp['target_ref']
relationship = temp['relationship_type']
if source.startswith('attack-pattern'):
paths = "attack-pattern/"
elif source.startswith('course-of-action'):
paths = "course-of-action/"
elif source.startswith('identity'):
paths = "identity/"
elif source.startswith('intrusion-set'):
paths = "intrusion-set/"
elif source.startswith('malware'):
paths = "malware/"
elif source.startswith('marking-definition'):
paths = "marking-definition/"
elif source.startswith('tool'):
paths = "tool/"
else:
print('Invalid value')
continue
with open(paths+source+'.json') as json_data:
s = json.load(json_data)
json_data.close()
if target.startswith('attack-pattern'):
patht = "attack-pattern/"
elif target.startswith('course-of-action'):
patht = "course-of-action/"
elif target.startswith('identity'):
patht = "identity/"
elif target.startswith('intrusion-set'):
patht = "intrusion-set/"
elif target.startswith('malware'):
patht = "malware/"
elif target.startswith('marking-definition'):
patht = "marking-definition/"
elif target.startswith('tool'):
patht = "tool/"
else:
print('Invalid value')
continue
with open(patht+target+'.json') as json_data:
t = json.load(json_data)
json_data.close()
value = {}
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value)
galaxy = {}
galaxy['name'] = "Pre Attack - Relationship"
galaxy['type'] = "mitre-pre-attack-relashipship"
galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "1f8e3bae-1708-11e8-8e97-4bd2150e5aae"
galaxy['version'] = args.version
galaxy['icon'] = "link"
cluster = {}
cluster['name'] = "Pre Attack - Relationship"
cluster['type'] = "mitre-pre-attack-relationship"
cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "1ffd3108-1708-11e8-9f98-67b378d9094c"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-pre-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-pre-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)