Merge pull request #2 from MISP/master

Updated from Core
This commit is contained in:
eCrimeLabs 2018-05-15 11:55:15 +00:00 committed by GitHub
commit f0cb93c4af
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
56 changed files with 4493 additions and 3656 deletions

View file

@ -35,11 +35,11 @@ to localized information (which is not shared) or additional information (that c
- [clusters/mitre-malware.json](clusters/mitre-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0 - [clusters/mitre-malware.json](clusters/mitre-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-tool.json](clusters/mitre-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0 - [clusters/mitre-tool.json](clusters/mitre-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-entreprise-attack-attack-pattern.json](clusters/mitre-entreprise-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack - [clusters/mitre-enterprise-attack-attack-pattern.json](clusters/mitre-enterprise-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
- [clusters/mitre-entreprise-attack-course-of-action.json](clusters/mitre-entreprise-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack - [clusters/mitre-enterprise-attack-course-of-action.json](clusters/mitre-enterprise-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
- [clusters/mitre-entreprise-attack-intrusion-set.json](clusters/mitre-entreprise-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack - [clusters/mitre-enterprise-attack-intrusion-set.json](clusters/mitre-enterprise-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
- [clusters/mitre-entreprise-attack-relationship.json](clusters/mitre-entreprise-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Entreprise Attack - [clusters/mitre-enterprise-attack-relationship.json](clusters/mitre-enterprise-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Enterprise Attack
- [clusters/mitre-entreprise-attack-tool.json](clusters/mitre-entreprise-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack - [clusters/mitre-enterprise-attack-tool.json](clusters/mitre-enterprise-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
- [clusters/mitre-mobile-attack-attack-pattern.json](clusters/mitre-mobile-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack - [clusters/mitre-mobile-attack-attack-pattern.json](clusters/mitre-mobile-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-course-of-action.json](clusters/mitre-mobile-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack - [clusters/mitre-mobile-attack-course-of-action.json](clusters/mitre-mobile-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-intrusion-set.json](clusters/mitre-mobile-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack - [clusters/mitre-mobile-attack-intrusion-set.json](clusters/mitre-mobile-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack

View file

@ -2120,10 +2120,15 @@
}, },
{ {
"value": "Igexin", "value": "Igexin",
"description": "Igexin is an advertisement library that is bundled with certain Android applications.", "description": "Igexin is an advertisement library that is bundled with certain Android applications. Igexin has the capability of spying on victims through otherwise benign apps by downloading malicious plugins,",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99" "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99",
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf",
"https://blog.lookout.com/igexin-malicious-sdk"
],
"synonyms": [
"IcicleGum"
] ]
}, },
"uuid": "52c5f9b3-e9ed-4c86-b4a8-d4ebc68a4d7b" "uuid": "52c5f9b3-e9ed-4c86-b4a8-d4ebc68a4d7b"
@ -4181,9 +4186,113 @@
] ]
}, },
"uuid": "e3cd1cf3-2f49-4adc-977f-d15a2b0b4c85" "uuid": "e3cd1cf3-2f49-4adc-977f-d15a2b0b4c85"
},
{
"value": "Chamois",
"description": "Chamois is one of the largest PHA families in Android to date and is distributed through multiple channels. While much of the backdoor version of this family was cleaned up in 2016, a new variant emerged in 2017. To avoid detection, this version employs a number of techniques, such as implementing custom code obfuscation, preventing user notifications, and not appearing in the devices app list. Chamois apps, which in many cases come preloaded with the system image, try to trick users into clicking ads by displaying deceptive graphics to commit WAP or SMS fraud.",
"meta": {
"refs": [
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf",
"https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html"
]
},
"uuid": "a53e93e6-2d17-11e8-a718-0bb6e34b87d0"
},
{
"value": "IcicleGum",
"description": "IcicleGum is a spyware PHA family whose apps rely on versions of the Igexin ads SDK that offer dynamic code-loading support. IcicleGum apps use this library's code-loading features to fetch encrypted DEX files over HTTP from command-and-control servers. The files are then decrypted and loaded via class reflection to read and send phone call logs and other data to remote locations.",
"meta": {
"refs": [
"https://blog.lookout.com/igexin-malicious-sdk",
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf"
]
},
"uuid": "a5be6094-2d17-11e8-a5b1-ff153ed7d9c3"
},
{
"value": "BreadSMS",
"description": "BreadSMS is a large SMS-fraud PHA family that we started tracking at the beginning of 2017. These apps compose and send text messages to premium numbers without the users consent. In some cases, BreadSMS apps also implement subscription-based SMS fraud and silently enroll users in services provided by their mobile carriers. These apps are linked to a group of command-and-control servers whose IP addresses change frequently and that are used to provide the apps with premium SMS numbers and message text.",
"meta": {
"refs": [
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf"
]
},
"uuid": "2c75b006-2d18-11e8-8f57-2714f7737ec5 "
},
{
"value": "JamSkunk",
"description": "JamSkunk is a toll-fraud PHA family composed of apps that subscribe users to services without their consent. These apps disable Wi-Fi to force traffic to go through users' mobile data connection and then contact command-and-control servers to dynamically fetch code that tries to bypass the networks WAP service subscription verification steps. This type of PHA monetizes their abuse via WAP billing, a payment method that works through mobile data connections and allows users to easily sign up and pay for new services using their existing account (i.e., services are billed directly by the carrier, and not the service provider; the user does not need a new account or a different form of payment). Once authentication is bypassed, JamSkunk apps enroll the device in services that the user may not notice until they receive and read their next bill.",
"meta": {
"refs": [
"https://blog.fosec.vn/malicious-applications-stayed-at-google-appstore-for-months-d8834ff4de59",
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf"
]
},
"uuid": "1b5ff93c-2d1a-11e8-8559-07216a0f4416"
},
{
"value": "Expensive Wall",
"description": "Expensive Wall is a family of SMS-fraud apps that affected a large number of devices in 2017. Expensive Wall apps use code obfuscation to slow down analysis and evade detection, and rely on the JS2Java bridge to allow JavaScript code loaded inside a Webview to call Java methods the way Java apps directly do. Upon launch, Expensive Wall apps connect to command-and-control servers to fetch a domain name. This domain is then contacted via a Webview instance that loads a webpage and executes JavaScript code that calls Java methods to compose and send premium SMS messages or click ads without users' knowledge.",
"meta": {
"refs": [
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf",
"https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/"
]
},
"uuid": "1c105534-2d1a-11e8-af59-f3a9d10da2ae"
},
{
"value": "BambaPurple",
"description": "BambaPurple is a two-stage toll-fraud PHA family that tries to trick users into installing it by disguising itself as a popular app. After install, the app disables Wi-Fi to force the device to use its 3G connection, then redirects to subscription pages without the users knowledge, clicks subscription buttons using downloaded JavaScript, and intercepts incoming subscription SMS messages to prevent the user from unsubscribing. In a second stage, BambaPurple installs a backdoor app that requests device admin privileges and drops a .dex file. This executable checks to make sure it is not being debugged, downloads even more apps without user consent, and displays ads.",
"meta": {
"refs": [
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf"
]
},
"uuid": "1c90db8c-2d1a-11e8-8855-8b52c54dc70c"
},
{
"value": "KoreFrog",
"description": "KoreFrog is a family of trojan apps that request permission to install packages and push other apps onto the device as system apps without the users authorization. System apps can be disabled by the user, but cannot be easily uninstalled. KoreFrog apps operate as daemons running in the background that try to impersonate Google and other system apps by using misleading names and icons to avoid detection. The KoreFrog PHA family has also been observed to serve ads, in addition to apps.",
"meta": {
"refs": [
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf"
]
},
"uuid": "1cd12f7a-2d1a-11e8-9d61-5f382712fa0a"
},
{
"value": "Gaiaphish",
"description": "Gaiaphish is a large family of trojan apps that target authentication tokens stored on the device to abuse the users privileges for various purposes. These apps use base64-encoded URL strings to avoid detection of the command-and-control servers they rely on to download APK files. These files contain phishing apps that try to steal GAIA authentication tokens that grant the user permissions to access Google services, such as Google Play, Google+, and YouTube. With these tokens, Gaiaphish apps are able to generate spam and automatically post content (for instance, fake app ratings and comments on Google Play app pages)",
"meta": {
"refs": [
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf"
]
},
"uuid": "1dcd622c-2d1a-11e8-870e-9f50a5dd5a84"
},
{
"value": "RedDrop",
"description": "RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-reddrop-android-spyware-records-nearby-audio/"
]
},
"uuid": "3178ca72-2ded-11e8-846e-eb40889b4f9f"
},
{
"value": "HenBox",
"description": "HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomis operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/"
]
},
"uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§"
} }
], ],
"version": 4, "version": 8,
"uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa", "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa",
"description": "Android malware galaxy based on multiple open sources.", "description": "Android malware galaxy based on multiple open sources.",
"authors": [ "authors": [

View file

@ -211,6 +211,9 @@
"https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
"https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/"
], ],
"synonyms": [
"Chtonic"
],
"date": "First seen fall of 2014" "date": "First seen fall of 2014"
}, },
"description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.", "description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.",
@ -514,7 +517,8 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/", "https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/",
"https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
"http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html"
], ],
"date": "Discovered in September 2017" "date": "Discovered in September 2017"
}, },
@ -567,7 +571,7 @@
"uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194" "uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194"
} }
], ],
"version": 7, "version": 8,
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832", "uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"description": "A list of banker malware.", "description": "A list of banker malware.",
"authors": [ "authors": [

View file

@ -45,7 +45,7 @@
}, },
{ {
"value": "Torpig", "value": "Torpig",
"description": "Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.", "description": "Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.",
"meta": { "meta": {
"refs": [ "refs": [
"https://en.wikipedia.org/wiki/Torpig" "https://en.wikipedia.org/wiki/Torpig"
@ -529,6 +529,43 @@
"date": "April 2017" "date": "April 2017"
}, },
"uuid": "3d7c771b-b175-41c9-8ba1-904ef29715fa" "uuid": "3d7c771b-b175-41c9-8ba1-904ef29715fa"
},
{
"value": "Hajime",
"description": "Hajime (meaning beginning in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown.\nIt is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/",
"https://en.wikipedia.org/wiki/Hajime_(malware)",
"https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/"
]
},
"uuid": "383fd414-3805-11e8-ac12-c7b5af38ff67"
},
{
"value": "Muhstik",
"description": "The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.\nAt the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware.\nCrooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online.\nThe Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/"
]
},
"uuid": "8364b00c-46c6-11e8-a78e-9bcc5609574f"
},
{
"value": "Hide and Seek",
"description": "Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise.\nThis is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.\nThe reset operation flushed the device's flash memory, where the device would keep all its working data, including IoT malware strains.\nBut today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices.\nBy placing itself in this menu, the device's OS will automatically start the malware's process after the next reboot.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/",
"https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/"
],
"synonyms": [
"HNS",
"Hide 'N Seek"
]
},
"uuid": "cdf1148c-5358-11e8-87e5-ab60d455597f"
} }
], ],
"name": "Botnet", "name": "Botnet",
@ -539,5 +576,5 @@
], ],
"description": "botnet galaxy", "description": "botnet galaxy",
"uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
"version": 1 "version": 4
} }

View file

@ -1,8 +1,8 @@
{ {
"name": "Entreprise Attack -intrusion Set", "name": "Enterprise Attack -intrusion Set",
"type": "mitre-entreprise-attack-intrusion-set", "type": "mitre-enterprise-attack-intrusion-set",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"version": 1, "version": 3,
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
"uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775", "uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775",
"authors": [ "authors": [
@ -11,7 +11,7 @@
"values": [ "values": [
{ {
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. (Citation: Kaspersky Poseidon Group)", "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. (Citation: Kaspersky Poseidon Group)",
"value": "Poseidon Group", "value": "Poseidon Group - G0033",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Poseidon Group" "Poseidon Group"
@ -25,7 +25,7 @@
}, },
{ {
"description": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", "description": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)",
"value": "Group5", "value": "Group5 - G0043",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Group5" "Group5"
@ -39,7 +39,7 @@
}, },
{ {
"description": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014)", "description": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014)",
"value": "PittyTiger", "value": "PittyTiger - G0011",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"PittyTiger" "PittyTiger"
@ -54,7 +54,7 @@
}, },
{ {
"description": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. (Citation: FireEye admin@338)", "description": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. (Citation: FireEye admin@338)",
"value": "admin@338", "value": "admin@338 - G0018",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"admin@338" "admin@338"
@ -68,7 +68,7 @@
}, },
{ {
"description": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). (Citation: ESET RTM Feb 2017)", "description": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). (Citation: ESET RTM Feb 2017)",
"value": "RTM", "value": "RTM - G0048",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"RTM" "RTM"
@ -82,7 +82,7 @@
}, },
{ {
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)", "description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)",
"value": "APT16", "value": "APT16 - G0023",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT16" "APT16"
@ -96,7 +96,7 @@
}, },
{ {
"description": "is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)\n\nContributors: Alan Neville, @abnev", "description": "is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)\n\nContributors: Alan Neville, @abnev",
"value": "Sowbug", "value": "Sowbug - G0054",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Sowbug" "Sowbug"
@ -110,7 +110,7 @@
}, },
{ {
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)", "description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28", "value": "APT28 - G0007",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT28", "APT28",
@ -134,7 +134,7 @@
}, },
{ {
"description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)", "description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"value": "Winnti Group", "value": "Winnti Group - G0044",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Winnti Group", "Winnti Group",
@ -151,7 +151,7 @@
}, },
{ {
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine)", "description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine)",
"value": "Deep Panda", "value": "Deep Panda - G0009",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Deep Panda", "Deep Panda",
@ -173,7 +173,7 @@
}, },
{ {
"description": "Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. (Citation: DustySky) (Citation: DustySky)2", "description": "Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. (Citation: DustySky) (Citation: DustySky)2",
"value": "Molerats", "value": "Molerats - G0021",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Molerats", "Molerats",
@ -188,7 +188,7 @@
}, },
{ {
"description": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. (Citation: Symantec Strider Blog) (Citation: Kaspersky ProjectSauron Blog)", "description": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. (Citation: Symantec Strider Blog) (Citation: Kaspersky ProjectSauron Blog)",
"value": "Strider", "value": "Strider - G0041",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Strider", "Strider",
@ -204,7 +204,7 @@
}, },
{ {
"description": "Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia. (Citation: iSIGHT Sandworm 2014)", "description": "Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia. (Citation: iSIGHT Sandworm 2014)",
"value": "Sandworm Team", "value": "Sandworm Team - G0034",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Sandworm Team", "Sandworm Team",
@ -219,7 +219,7 @@
}, },
{ {
"description": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. (Citation: FireEye FIN6 April 2016)", "description": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. (Citation: FireEye FIN6 April 2016)",
"value": "FIN6", "value": "FIN6 - G0037",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"FIN6" "FIN6"
@ -233,7 +233,7 @@
}, },
{ {
"description": "Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)", "description": "Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)",
"value": "Dust Storm", "value": "Dust Storm - G0031",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Dust Storm" "Dust Storm"
@ -247,7 +247,7 @@
}, },
{ {
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)", "description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)",
"value": "Cleaver", "value": "Cleaver - G0003",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Cleaver", "Cleaver",
@ -264,7 +264,7 @@
}, },
{ {
"description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)", "description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)",
"value": "APT12", "value": "APT12 - G0005",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT12", "APT12",
@ -282,7 +282,7 @@
}, },
{ {
"description": "is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)", "description": "is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"value": "NEODYMIUM", "value": "NEODYMIUM - G0055",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"NEODYMIUM" "NEODYMIUM"
@ -297,7 +297,7 @@
}, },
{ {
"description": "APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways. (Citation: FireEye APT34 Dec 2017)", "description": "APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways. (Citation: FireEye APT34 Dec 2017)",
"value": "APT34", "value": "APT34 - G0057",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT34" "APT34"
@ -311,7 +311,7 @@
}, },
{ {
"description": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. (Citation: Haq 2014)", "description": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. (Citation: Haq 2014)",
"value": "Moafee", "value": "Moafee - G0002",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Moafee" "Moafee"
@ -325,7 +325,7 @@
}, },
{ {
"description": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017)", "description": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017)",
"value": "Threat Group-3390", "value": "Threat Group-3390 - G0027",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Threat Group-3390", "Threat Group-3390",
@ -343,7 +343,7 @@
}, },
{ {
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)", "description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)",
"value": "DragonOK", "value": "DragonOK - G0017",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"DragonOK" "DragonOK"
@ -358,7 +358,7 @@
}, },
{ {
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", "description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1", "value": "APT1 - G0006",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT1", "APT1",
@ -375,7 +375,7 @@
}, },
{ {
"description": "FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)", "description": "FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)",
"value": "FIN10", "value": "FIN10 - G0051",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"FIN10" "FIN10"
@ -389,7 +389,7 @@
}, },
{ {
"description": "OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2015. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook OilRig Dec 2017) Reporting on OilRig may loosely overlap with APT34, but may not wholly align due to companies tracking groups in different ways. (Citation: FireEye APT34 Dec 2017)\n\nContributors: Robert Falcone, Bryan Lee", "description": "OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2015. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook OilRig Dec 2017) Reporting on OilRig may loosely overlap with APT34, but may not wholly align due to companies tracking groups in different ways. (Citation: FireEye APT34 Dec 2017)\n\nContributors: Robert Falcone, Bryan Lee",
"value": "OilRig", "value": "OilRig - G0049",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"OilRig" "OilRig"
@ -408,7 +408,7 @@
}, },
{ {
"description": "is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, Rocket Kitten, resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)", "description": "is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, Rocket Kitten, resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)",
"value": "Charming Kitten", "value": "Charming Kitten - G0058",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Charming Kitten" "Charming Kitten"
@ -422,7 +422,7 @@
}, },
{ {
"description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)\n\nContributors: Walker Johnson", "description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)\n\nContributors: Walker Johnson",
"value": "FIN5", "value": "FIN5 - G0053",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"FIN5" "FIN5"
@ -438,7 +438,7 @@
}, },
{ {
"description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government. (Citation: TrendMicro Taidoor)", "description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government. (Citation: TrendMicro Taidoor)",
"value": "Taidoor", "value": "Taidoor - G0015",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Taidoor" "Taidoor"
@ -452,7 +452,7 @@
}, },
{ {
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)", "description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)",
"value": "Night Dragon", "value": "Night Dragon - G0014",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Night Dragon" "Night Dragon"
@ -466,7 +466,7 @@
}, },
{ {
"description": "Naikon is a threat group that has focused on targets around the South China Sea. (Citation: Baumgartner Naikon 2015) The group has been attributed to the Chinese Peoples Liberation Armys (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). (Citation: CameraShy) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)", "description": "Naikon is a threat group that has focused on targets around the South China Sea. (Citation: Baumgartner Naikon 2015) The group has been attributed to the Chinese Peoples Liberation Armys (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). (Citation: CameraShy) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
"value": "Naikon", "value": "Naikon - G0019",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Naikon" "Naikon"
@ -482,7 +482,7 @@
}, },
{ {
"description": "Ke3chang is a threat group attributed to actors operating out of China. (Citation: Villeneuve et al 2014)", "description": "Ke3chang is a threat group attributed to actors operating out of China. (Citation: Villeneuve et al 2014)",
"value": "Ke3chang", "value": "Ke3chang - G0004",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Ke3chang" "Ke3chang"
@ -496,7 +496,7 @@
}, },
{ {
"description": "APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists, and has extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017)", "description": "APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists, and has extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017)",
"value": "APT32", "value": "APT32 - G0050",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT32", "APT32",
@ -512,7 +512,7 @@
}, },
{ {
"description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)", "description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)",
"value": "Patchwork", "value": "Patchwork - G0040",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Patchwork", "Patchwork",
@ -529,7 +529,7 @@
}, },
{ {
"description": "APT30 is a threat group suspected to be associated with the Chinese government. (Citation: FireEye APT30) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)", "description": "APT30 is a threat group suspected to be associated with the Chinese government. (Citation: FireEye APT30) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
"value": "APT30", "value": "APT30 - G0013",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT30" "APT30"
@ -544,7 +544,7 @@
}, },
{ {
"description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent. (Citation: Forcepoint Monsoon) Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010. (Citation: Operation Hangover May 2013)", "description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent. (Citation: Forcepoint Monsoon) Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010. (Citation: Operation Hangover May 2013)",
"value": "MONSOON", "value": "MONSOON - G0042",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"MONSOON", "MONSOON",
@ -560,7 +560,7 @@
}, },
{ {
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)", "description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)",
"value": "APT17", "value": "APT17 - G0025",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT17", "APT17",
@ -575,7 +575,7 @@
}, },
{ {
"description": "FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware. It is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017)", "description": "FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware. It is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017)",
"value": "FIN7", "value": "FIN7 - G0046",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"FIN7" "FIN7"
@ -590,7 +590,7 @@
}, },
{ {
"description": "APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\n (Citation: APT3 Adversary Emulation Plan)", "description": "APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\n (Citation: APT3 Adversary Emulation Plan)",
"value": "APT3", "value": "APT3 - G0022",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT3", "APT3",
@ -614,7 +614,7 @@
}, },
{ {
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)", "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)",
"value": "GCMAN", "value": "GCMAN - G0036",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"GCMAN" "GCMAN"
@ -628,7 +628,7 @@
}, },
{ {
"description": "Lazarus Group is a threat group that has been attributed to the North Korean government. (Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)", "description": "Lazarus Group is a threat group that has been attributed to the North Korean government. (Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)",
"value": "Lazarus Group", "value": "Lazarus Group - G0032",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Lazarus Group", "Lazarus Group",
@ -647,7 +647,7 @@
}, },
{ {
"description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)", "description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)",
"value": "Lotus Blossom", "value": "Lotus Blossom - G0030",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Lotus Blossom", "Lotus Blossom",
@ -662,7 +662,7 @@
}, },
{ {
"description": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)", "description": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)",
"value": "Equation", "value": "Equation - G0020",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Equation" "Equation"
@ -676,7 +676,7 @@
}, },
{ {
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center WiFi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. (Citation: Kaspersky Darkhotel)", "description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center WiFi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. (Citation: Kaspersky Darkhotel)",
"value": "Darkhotel", "value": "Darkhotel - G0012",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Darkhotel" "Darkhotel"
@ -690,7 +690,7 @@
}, },
{ {
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. The group appeared to decrease activity following public exposure in 2014, and re-emerged in late 2015 through 2017. (Citation: Symantec Dragonfly) (Citation: Symantec Dragonfly) Sept 2017", "description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. The group appeared to decrease activity following public exposure in 2014, and re-emerged in late 2015 through 2017. (Citation: Symantec Dragonfly) (Citation: Symantec Dragonfly) Sept 2017",
"value": "Dragonfly", "value": "Dragonfly - G0035",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Dragonfly", "Dragonfly",
@ -705,7 +705,7 @@
}, },
{ {
"description": "Suckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)", "description": "Suckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)",
"value": "Suckfly", "value": "Suckfly - G0039",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Suckfly" "Suckfly"
@ -719,7 +719,7 @@
}, },
{ {
"description": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)", "description": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)",
"value": "Stealth Falcon", "value": "Stealth Falcon - G0038",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Stealth Falcon" "Stealth Falcon"
@ -733,7 +733,7 @@
}, },
{ {
"description": "BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)", "description": "BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)",
"value": "BRONZE BUTLER", "value": "BRONZE BUTLER - G0060",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"BRONZE BUTLER", "BRONZE BUTLER",
@ -750,7 +750,7 @@
}, },
{ {
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)", "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)",
"value": "Scarlet Mimic", "value": "Scarlet Mimic - G0029",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Scarlet Mimic" "Scarlet Mimic"
@ -764,7 +764,7 @@
}, },
{ {
"description": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)", "description": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)",
"value": "Threat Group-1314", "value": "Threat Group-1314 - G0028",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Threat Group-1314", "Threat Group-1314",
@ -779,7 +779,7 @@
}, },
{ {
"description": "Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. They are known for conducting watering hole and spearphishing campaigns. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017)", "description": "Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. They are known for conducting watering hole and spearphishing campaigns. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017)",
"value": "Turla", "value": "Turla - G0010",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Turla", "Turla",
@ -796,7 +796,7 @@
}, },
{ {
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)", "description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)",
"value": "APT29", "value": "APT29 - G0016",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT29", "APT29",
@ -814,7 +814,7 @@
}, },
{ {
"description": "menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017)", "description": "menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017)",
"value": "menuPass", "value": "menuPass - G0045",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"menuPass", "menuPass",
@ -836,7 +836,7 @@
}, },
{ {
"description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)", "description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)",
"value": "Putter Panda", "value": "Putter Panda - G0024",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Putter Panda", "Putter Panda",
@ -852,7 +852,7 @@
}, },
{ {
"description": " (Citation: Axiom) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Axiom) Though both this group and Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)", "description": " (Citation: Axiom) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Axiom) Though both this group and Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"value": "Axiom", "value": "Axiom - G0001",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Axiom", "Axiom",
@ -870,7 +870,7 @@
}, },
{ {
"description": "Magic Hound is an espionage campaign operating primarily in the Middle East that dates back to at least mid-2016. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. (Citation: Unit 42 Magic Hound Feb 2017)\n\nContributors: Bryan Lee", "description": "Magic Hound is an espionage campaign operating primarily in the Middle East that dates back to at least mid-2016. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. (Citation: Unit 42 Magic Hound Feb 2017)\n\nContributors: Bryan Lee",
"value": "Magic Hound", "value": "Magic Hound - G0059",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Magic Hound", "Magic Hound",
@ -890,7 +890,7 @@
}, },
{ {
"description": "is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)", "description": "is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"value": "PROMETHIUM", "value": "PROMETHIUM - G0056",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"PROMETHIUM" "PROMETHIUM"
@ -905,7 +905,7 @@
}, },
{ {
"description": "Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: Kaspersky Carbanak) (Citation: FireEye FIN7 April 2017)\n\nContributors: Anastasios Pingios", "description": "Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: Kaspersky Carbanak) (Citation: FireEye FIN7 April 2017)\n\nContributors: Anastasios Pingios",
"value": "Carbanak", "value": "Carbanak - G0008",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Carbanak", "Carbanak",
@ -922,7 +922,7 @@
}, },
{ {
"description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)", "description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)",
"value": "APT18", "value": "APT18 - G0026",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT18", "APT18",
@ -939,7 +939,7 @@
}, },
{ {
"description": "CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)", "description": "CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)",
"value": "CopyKittens", "value": "CopyKittens - G0052",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"CopyKittens" "CopyKittens"
@ -955,7 +955,7 @@
}, },
{ {
"description": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. (Citation: Palo Alto Gamaredon Feb 2017)", "description": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. (Citation: Palo Alto Gamaredon Feb 2017)",
"value": "Gamaredon Group", "value": "Gamaredon Group - G0047",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Gamaredon Group" "Gamaredon Group"

View file

@ -1,8 +1,8 @@
{ {
"name": "Entreprise Attack - Tool", "name": "Enterprise Attack - Tool",
"type": "mitre-entreprise-attack-tool", "type": "mitre-enterprise-attack-tool",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"version": 1, "version": 3,
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
"uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e", "uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e",
"authors": [ "authors": [
@ -11,7 +11,7 @@
"values": [ "values": [
{ {
"description": "at is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At)\n\nAliases: at, at.exe", "description": "at is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At)\n\nAliases: at, at.exe",
"value": "at", "value": "at - S0110",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0110", "https://attack.mitre.org/wiki/Software/S0110",
@ -26,7 +26,7 @@
}, },
{ {
"description": "route can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)\n\nAliases: route, route.exe", "description": "route can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)\n\nAliases: route, route.exe",
"value": "route", "value": "route - S0103",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0103", "https://attack.mitre.org/wiki/Software/S0103",
@ -41,7 +41,7 @@
}, },
{ {
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)\n\nAliases: Tasklist", "description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)\n\nAliases: Tasklist",
"value": "Tasklist", "value": "Tasklist - S0057",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0057", "https://attack.mitre.org/wiki/Software/S0057",
@ -55,7 +55,7 @@
}, },
{ {
"description": "Windows Credential Editor is a password dumping tool. (Citation: Amplia WCE)\n\nAliases: Windows Credential Editor, WCE", "description": "Windows Credential Editor is a password dumping tool. (Citation: Amplia WCE)\n\nAliases: Windows Credential Editor, WCE",
"value": "Windows Credential Editor", "value": "Windows Credential Editor - S0005",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0005", "https://attack.mitre.org/wiki/Software/S0005",
@ -70,7 +70,7 @@
}, },
{ {
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)\n\nAliases: Responder", "description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)\n\nAliases: Responder",
"value": "Responder", "value": "Responder - S0174",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0174", "https://attack.mitre.org/wiki/Software/S0174",
@ -84,7 +84,7 @@
}, },
{ {
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)\n\nAliases: schtasks, schtasks.exe", "description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)\n\nAliases: schtasks, schtasks.exe",
"value": "schtasks", "value": "schtasks - S0111",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0111", "https://attack.mitre.org/wiki/Software/S0111",
@ -99,7 +99,7 @@
}, },
{ {
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)\n\nAliases: UACMe", "description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)\n\nAliases: UACMe",
"value": "UACMe", "value": "UACMe - S0116",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0116", "https://attack.mitre.org/wiki/Software/S0116",
@ -113,7 +113,7 @@
}, },
{ {
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)\n\nAliases: ifconfig", "description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)\n\nAliases: ifconfig",
"value": "ifconfig", "value": "ifconfig - S0101",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0101", "https://attack.mitre.org/wiki/Software/S0101",
@ -127,7 +127,7 @@
}, },
{ {
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)\n\nAliases: Mimikatz\n\nContributors: Vincent Le Toux", "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)\n\nAliases: Mimikatz\n\nContributors: Vincent Le Toux",
"value": "Mimikatz", "value": "Mimikatz - S0002",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0002", "https://attack.mitre.org/wiki/Software/S0002",
@ -142,7 +142,7 @@
}, },
{ {
"description": " (Citation: xCmd) is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. (Citation: xCmd)\n\nAliases: (Citation: xCmd)", "description": " (Citation: xCmd) is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. (Citation: xCmd)\n\nAliases: (Citation: xCmd)",
"value": "xCmd", "value": "xCmd - S0123",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0123", "https://attack.mitre.org/wiki/Software/S0123",
@ -156,7 +156,7 @@
}, },
{ {
"description": "is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)\n\nAliases: MimiPenguin\n\nContributors: Vincent Le Toux", "description": "is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)\n\nAliases: MimiPenguin\n\nContributors: Vincent Le Toux",
"value": "MimiPenguin", "value": "MimiPenguin - S0179",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0179", "https://attack.mitre.org/wiki/Software/S0179",
@ -170,7 +170,7 @@
}, },
{ {
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)\n\nAliases: Systeminfo, systeminfo.exe", "description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)\n\nAliases: Systeminfo, systeminfo.exe",
"value": "Systeminfo", "value": "Systeminfo - S0096",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0096", "https://attack.mitre.org/wiki/Software/S0096",
@ -185,7 +185,7 @@
}, },
{ {
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)\n\nAliases: netsh, netsh.exe", "description": "netsh is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)\n\nAliases: netsh, netsh.exe",
"value": "netsh", "value": "netsh - S0108",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0108", "https://attack.mitre.org/wiki/Software/S0108",
@ -200,7 +200,7 @@
}, },
{ {
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe", "description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"value": "dsquery", "value": "dsquery - S0105",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0105", "https://attack.mitre.org/wiki/Software/S0105",
@ -215,7 +215,7 @@
}, },
{ {
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)\n\nAliases: gsecdump", "description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)\n\nAliases: gsecdump",
"value": "gsecdump", "value": "gsecdump - S0008",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0008", "https://attack.mitre.org/wiki/Software/S0008",
@ -229,7 +229,7 @@
}, },
{ {
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)\n\nAliases: Ping, ping.exe", "description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)\n\nAliases: Ping, ping.exe",
"value": "Ping", "value": "Ping - S0097",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0097", "https://attack.mitre.org/wiki/Software/S0097",
@ -244,7 +244,7 @@
}, },
{ {
"description": "Fgdump is a Windows password hash dumper. (Citation: Mandiant APT1)\n\nAliases: Fgdump", "description": "Fgdump is a Windows password hash dumper. (Citation: Mandiant APT1)\n\nAliases: Fgdump",
"value": "Fgdump", "value": "Fgdump - S0120",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0120", "https://attack.mitre.org/wiki/Software/S0120",
@ -258,7 +258,7 @@
}, },
{ {
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)\n\nAliases: Lslsass", "description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)\n\nAliases: Lslsass",
"value": "Lslsass", "value": "Lslsass - S0121",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0121", "https://attack.mitre.org/wiki/Software/S0121",
@ -272,7 +272,7 @@
}, },
{ {
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)\n\nAliases: Pass-The-Hash Toolkit", "description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)\n\nAliases: Pass-The-Hash Toolkit",
"value": "Pass-The-Hash Toolkit", "value": "Pass-The-Hash Toolkit - S0122",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0122", "https://attack.mitre.org/wiki/Software/S0122",
@ -286,7 +286,7 @@
}, },
{ {
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)\n\nAliases: FTP, ftp.exe", "description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)\n\nAliases: FTP, ftp.exe",
"value": "FTP", "value": "FTP - S0095",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0095", "https://attack.mitre.org/wiki/Software/S0095",
@ -301,7 +301,7 @@
}, },
{ {
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)\n\nAliases: ipconfig, ipconfig.exe", "description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)\n\nAliases: ipconfig, ipconfig.exe",
"value": "ipconfig", "value": "ipconfig - S0100",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0100", "https://attack.mitre.org/wiki/Software/S0100",
@ -316,7 +316,7 @@
}, },
{ {
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)\n\nAliases: nbtstat, nbtstat.exe", "description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)\n\nAliases: nbtstat, nbtstat.exe",
"value": "nbtstat", "value": "nbtstat - S0102",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0102", "https://attack.mitre.org/wiki/Software/S0102",
@ -331,7 +331,7 @@
}, },
{ {
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)\n\nAliases: HTRAN, HUC Packet Transmit Tool", "description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"value": "HTRAN", "value": "HTRAN - S0040",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0040", "https://attack.mitre.org/wiki/Software/S0040",
@ -346,7 +346,7 @@
}, },
{ {
"description": "Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)\n\nAliases: Tor", "description": "Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)\n\nAliases: Tor",
"value": "Tor", "value": "Tor - S0183",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0183", "https://attack.mitre.org/wiki/Software/S0183",
@ -360,7 +360,7 @@
}, },
{ {
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)\n\nAliases: netstat, netstat.exe", "description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)\n\nAliases: netstat, netstat.exe",
"value": "netstat", "value": "netstat - S0104",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0104", "https://attack.mitre.org/wiki/Software/S0104",
@ -375,7 +375,7 @@
}, },
{ {
"description": "pwdump is a credential dumper. (Citation: Wikipedia pwdump)\n\nAliases: pwdump", "description": "pwdump is a credential dumper. (Citation: Wikipedia pwdump)\n\nAliases: pwdump",
"value": "pwdump", "value": "pwdump - S0006",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0006", "https://attack.mitre.org/wiki/Software/S0006",
@ -389,7 +389,7 @@
}, },
{ {
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry. (Citation: Mandiant APT1)\n\nAliases: Cachedump", "description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry. (Citation: Mandiant APT1)\n\nAliases: Cachedump",
"value": "Cachedump", "value": "Cachedump - S0119",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0119", "https://attack.mitre.org/wiki/Software/S0119",
@ -403,7 +403,7 @@
}, },
{ {
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\nNet has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe", "description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\nNet has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"value": "Net", "value": "Net - S0039",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0039", "https://attack.mitre.org/wiki/Software/S0039",
@ -419,7 +419,7 @@
}, },
{ {
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)\n\nAliases: PsExec", "description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)\n\nAliases: PsExec",
"value": "PsExec", "value": "PsExec - S0029",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0029", "https://attack.mitre.org/wiki/Software/S0029",
@ -434,7 +434,7 @@
}, },
{ {
"description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)\n\nAliases: certutil, certutil.exe", "description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)\n\nAliases: certutil, certutil.exe",
"value": "certutil", "value": "certutil - S0160",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0160", "https://attack.mitre.org/wiki/Software/S0160",
@ -449,7 +449,7 @@
}, },
{ {
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)\n\nAliases: Arp, arp.exe", "description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)\n\nAliases: Arp, arp.exe",
"value": "Arp", "value": "Arp - S0099",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0099", "https://attack.mitre.org/wiki/Software/S0099",
@ -464,7 +464,7 @@
}, },
{ {
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)).\n\nAliases: cmd, cmd.exe", "description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)).\n\nAliases: cmd, cmd.exe",
"value": "cmd", "value": "cmd - S0106",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0106", "https://attack.mitre.org/wiki/Software/S0106",
@ -482,7 +482,7 @@
}, },
{ {
"description": "is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.\n\nAliases: meek", "description": "is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.\n\nAliases: meek",
"value": "meek", "value": "meek - S0175",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0175" "https://attack.mitre.org/wiki/Software/S0175"
@ -495,7 +495,7 @@
}, },
{ {
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as Reg are known to be used by persistent threats. (Citation: Windows Commands JPCERT)\n\nAliases: Reg, reg.exe", "description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as Reg are known to be used by persistent threats. (Citation: Windows Commands JPCERT)\n\nAliases: Reg, reg.exe",
"value": "Reg", "value": "Reg - S0075",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0075", "https://attack.mitre.org/wiki/Software/S0075",
@ -511,7 +511,7 @@
}, },
{ {
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike", "description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike",
"value": "Cobalt Strike", "value": "Cobalt Strike - S0154",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/wiki/Software/S0154", "https://attack.mitre.org/wiki/Software/S0154",

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - Attack Pattern", "name": "Mobile Attack - Attack Pattern",
"type": "mitre-mobile-attack-attack-pattern", "type": "mitre-mobile-attack-attack-pattern",
"description": "ATT&CK tactic", "description": "ATT&CK tactic",
"version": 1, "version": 2,
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
"uuid": "1e606d06-1708-11e8-8a43-df11c8cf9ae2", "uuid": "1e606d06-1708-11e8-8a43-df11c8cf9ae2",
"authors": [ "authors": [
@ -11,7 +11,7 @@
"values": [ "values": [
{ {
"description": "An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in (Citation: Forbes-iPhoneSMS).\n\nAn SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.\n\nAs described by SRLabs in (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.\n\nPlatforms: Android, iOS", "description": "An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in (Citation: Forbes-iPhoneSMS).\n\nAn SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.\n\nAs described by SRLabs in (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.\n\nPlatforms: Android, iOS",
"value": "Malicious SMS Message", "value": "Malicious SMS Message - MOB-T1057",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1057", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1057",
@ -27,7 +27,7 @@
}, },
{ {
"description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. (Citation: mHealth) describe numerous healthcare-related applications that did not properly protect network communication.\n\nPlatforms: Android, iOS", "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. (Citation: mHealth) describe numerous healthcare-related applications that did not properly protect network communication.\n\nPlatforms: Android, iOS",
"value": "Eavesdrop on Insecure Network Communication", "value": "Eavesdrop on Insecure Network Communication - MOB-T1042",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1042", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1042",
@ -44,7 +44,7 @@
}, },
{ {
"description": "An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection as described by (Citation: Rastogi) et al. (Citation: Rastogi). \n\n (Citation: Brodie) (Citation: Brodie) describes limitations of jailbreak/root detection mechanisms.\n\n (Citation: Tan) (Citation: Tan) describes his experience defeating the jailbreak detection used by the iOS version of Good for Enterprise.\n\nPlatforms: Android, iOS", "description": "An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection as described by (Citation: Rastogi) et al. (Citation: Rastogi). \n\n (Citation: Brodie) (Citation: Brodie) describes limitations of jailbreak/root detection mechanisms.\n\n (Citation: Tan) (Citation: Tan) describes his experience defeating the jailbreak detection used by the iOS version of Good for Enterprise.\n\nPlatforms: Android, iOS",
"value": "Disguise Root/Jailbreak Indicators", "value": "Disguise Root/Jailbreak Indicators - MOB-T1011",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1011", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1011",
@ -62,7 +62,7 @@
}, },
{ {
"description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.\n\nPlatforms: Android", "description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.\n\nPlatforms: Android",
"value": "Device Type Discovery", "value": "Device Type Discovery - MOB-T1022",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1022", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1022",
@ -76,7 +76,7 @@
}, },
{ {
"description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary, for example as described by Lookout in (Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).\n\nDetection: As described in Google's Android Security 2014 Year in Review Report (Citation: AndroidSecurity2014), starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android", "description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary, for example as described by Lookout in (Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).\n\nDetection: As described in Google's Android Security 2014 Year in Review Report (Citation: AndroidSecurity2014), starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android",
"value": "Premium SMS Toll Fraud", "value": "Premium SMS Toll Fraud - MOB-T1051",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1051", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1051",
@ -91,7 +91,7 @@
}, },
{ {
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB).\n\nDetection: Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS", "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB).\n\nDetection: Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS",
"value": "Obtain Device Cloud Backups", "value": "Obtain Device Cloud Backups - MOB-T1073",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1073", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1073",
@ -108,7 +108,7 @@
}, },
{ {
"description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.\n\nPlatforms: Android", "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.\n\nPlatforms: Android",
"value": "Access Sensitive Data in Device Logs", "value": "Access Sensitive Data in Device Logs - MOB-T1016",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1016", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1016",
@ -123,7 +123,7 @@
}, },
{ {
"description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC. Wang and Stavrou (Citation: Wang-ExploitingUSB) and Kamkar (Citation: ArsTechnica-PoisonTap) describe this technique. This technique has been demonstrated on Android, and we are unaware of any demonstrations on iOS.\n\nPlatforms: Android", "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC. Wang and Stavrou (Citation: Wang-ExploitingUSB) and Kamkar (Citation: ArsTechnica-PoisonTap) describe this technique. This technique has been demonstrated on Android, and we are unaware of any demonstrations on iOS.\n\nPlatforms: Android",
"value": "Attack PC via USB Connection", "value": "Attack PC via USB Connection - MOB-T1030",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1030", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1030",
@ -139,7 +139,7 @@
}, },
{ {
"description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes as described in (Citation: IETF-PKCE).\n\nPlatforms: Android", "description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes as described in (Citation: IETF-PKCE).\n\nPlatforms: Android",
"value": "Android Intent Hijacking", "value": "Android Intent Hijacking - MOB-T1019",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1019", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1019",
@ -153,7 +153,7 @@
}, },
{ {
"description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes as described in (Citation: IETF-PKCE) or to phish user credentials as described in (Citation: MobileIron-XARA). Related potential security implications are described in (Citation: Dhanjani-URLScheme). FireEye researchers describe URL scheme hijacking in a blog post (Citation: FireEye-Masque2), including evidence of its use.\n\nPlatforms: iOS", "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes as described in (Citation: IETF-PKCE) or to phish user credentials as described in (Citation: MobileIron-XARA). Related potential security implications are described in (Citation: Dhanjani-URLScheme). FireEye researchers describe URL scheme hijacking in a blog post (Citation: FireEye-Masque2), including evidence of its use.\n\nPlatforms: iOS",
"value": "URL Scheme Hijacking", "value": "URL Scheme Hijacking - MOB-T1018",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1018", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1018",
@ -171,7 +171,7 @@
}, },
{ {
"description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS", "description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS",
"value": "Exploit Enterprise Resources", "value": "Exploit Enterprise Resources - MOB-T1031",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1031", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1031",
@ -186,7 +186,7 @@
}, },
{ {
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.\n\nDetection: Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nPlatforms: Android, iOS", "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.\n\nDetection: Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nPlatforms: Android, iOS",
"value": "Modify System Partition", "value": "Modify System Partition - MOB-T1003",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1003", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1003",
@ -203,7 +203,7 @@
}, },
{ {
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class (Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information, for example as described in (Citation: StackOverflow-iOSVersion).\n\nPlatforms: Android, iOS", "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class (Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information, for example as described in (Citation: StackOverflow-iOSVersion).\n\nPlatforms: Android, iOS",
"value": "System Information Discovery", "value": "System Information Discovery - MOB-T1029",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1029", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1029",
@ -219,7 +219,7 @@
}, },
{ {
"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS", "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS",
"value": "Network Service Scanning", "value": "Network Service Scanning - MOB-T1026",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1026" "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1026"
@ -233,7 +233,7 @@
}, },
{ {
"description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.\n\nDetection: On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.\n\nDetection: On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"value": "Access Call Log", "value": "Access Call Log - MOB-T1036",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1036", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1036",
@ -248,7 +248,7 @@
}, },
{ {
"description": "An adversary could evade app vetting techniques by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis.\n\nDiscussion of general Android anti-analysis techniques can be found in (Citation: Petsas). Discussion of Google Play Store-specific anti-analysis techniques can be found in (Citation: Oberheide-Bouncer), (Citation: Percoco-Bouncer).\n\n (Citation: Wang) presents a discussion of iOS anti-analysis techniques.\n\nPlatforms: Android, iOS", "description": "An adversary could evade app vetting techniques by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis.\n\nDiscussion of general Android anti-analysis techniques can be found in (Citation: Petsas). Discussion of Google Play Store-specific anti-analysis techniques can be found in (Citation: Oberheide-Bouncer), (Citation: Percoco-Bouncer).\n\n (Citation: Wang) presents a discussion of iOS anti-analysis techniques.\n\nPlatforms: Android, iOS",
"value": "Detect App Analysis Environment", "value": "Detect App Analysis Environment - MOB-T1043",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1043", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1043",
@ -269,7 +269,7 @@
}, },
{ {
"description": "Content of a web page could be designed to exploit vulnerabilities in a web browser running on the mobile device.\n\nPlatforms: Android, iOS", "description": "Content of a web page could be designed to exploit vulnerabilities in a web browser running on the mobile device.\n\nPlatforms: Android, iOS",
"value": "Malicious Web Content", "value": "Malicious Web Content - MOB-T1059",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1059", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1059",
@ -284,7 +284,7 @@
}, },
{ {
"description": "An adversary could use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. For example, Oberheide and Miller describe use of this technique in (Citation: Oberheide-Bouncer).\n\nPlatforms: Android, iOS", "description": "An adversary could use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. For example, Oberheide and Miller describe use of this technique in (Citation: Oberheide-Bouncer).\n\nPlatforms: Android, iOS",
"value": "Fake Developer Accounts", "value": "Fake Developer Accounts - MOB-T1045",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1045", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1045",
@ -299,7 +299,7 @@
}, },
{ {
"description": "Content of a media (audio or video) file could be designed to exploit vulnerabilities in parsers on the mobile device, as for example demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\nPlatforms: Android, iOS", "description": "Content of a media (audio or video) file could be designed to exploit vulnerabilities in parsers on the mobile device, as for example demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\nPlatforms: Android, iOS",
"value": "Malicious Media Content", "value": "Malicious Media Content - MOB-T1060",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1060", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1060",
@ -315,7 +315,7 @@
}, },
{ {
"description": "The application is delivered as an email attachment.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.\n\nPlatforms: Android, iOS", "description": "The application is delivered as an email attachment.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.\n\nPlatforms: Android, iOS",
"value": "App Delivered via Email Attachment", "value": "App Delivered via Email Attachment - MOB-T1037",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1037", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1037",
@ -331,7 +331,7 @@
}, },
{ {
"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. As described by Kaspersky (Citation: Kaspersky-MobileMalware), Google responds to reports of abuse by blocking access to GCM.\n\nPlatforms: Android, iOS", "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. As described by Kaspersky (Citation: Kaspersky-MobileMalware), Google responds to reports of abuse by blocking access to GCM.\n\nPlatforms: Android, iOS",
"value": "Standard Application Layer Protocol", "value": "Standard Application Layer Protocol - MOB-T1040",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1040", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1040",
@ -347,7 +347,7 @@
}, },
{ {
"description": "On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.\n\nPlatforms: Android", "description": "On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.\n\nPlatforms: Android",
"value": "File and Directory Discovery", "value": "File and Directory Discovery - MOB-T1023",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1023" "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1023"
@ -360,7 +360,7 @@
}, },
{ {
"description": "A malicious application could abuse Android device administrator access to wipe device contents, for example if a ransom is not paid.\n\nPlatforms: Android", "description": "A malicious application could abuse Android device administrator access to wipe device contents, for example if a ransom is not paid.\n\nPlatforms: Android",
"value": "Wipe Device Data", "value": "Wipe Device Data - MOB-T1050",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1050" "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1050"
@ -373,7 +373,7 @@
}, },
{ {
"description": "An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone or the camera through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", "description": "An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone or the camera through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"value": "Microphone or Camera Recordings", "value": "Microphone or Camera Recordings - MOB-T1032",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1032", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1032",
@ -388,7 +388,7 @@
}, },
{ {
"description": "The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.\n\nPlatforms: Android, iOS", "description": "The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.\n\nPlatforms: Android, iOS",
"value": "Malicious or Vulnerable Built-in Device Functionality", "value": "Malicious or Vulnerable Built-in Device Functionality - MOB-T1076",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1076" "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1076"
@ -402,7 +402,7 @@
}, },
{ {
"description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques, as described in (Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS).\n\nPlatforms: Android, iOS", "description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques, as described in (Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS).\n\nPlatforms: Android, iOS",
"value": "Obfuscated or Encrypted Payload", "value": "Obfuscated or Encrypted Payload - MOB-T1009",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1009", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1009",
@ -421,7 +421,7 @@
}, },
{ {
"description": "At least three methods exist to perform User Interface Spoofing:\n\nFirst, on both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering account credentials. \n\nSecond, on both Android and iOS, a malicious app could impersonate the identity of another app in order to trick users into installing and using it.\n\nThird, on older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app as described in (Citation: Felt-PhishingOnMobileDevices) and (Citation: Hassell-ExploitingAndroid). However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.\n\nPlatforms: Android, iOS", "description": "At least three methods exist to perform User Interface Spoofing:\n\nFirst, on both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering account credentials. \n\nSecond, on both Android and iOS, a malicious app could impersonate the identity of another app in order to trick users into installing and using it.\n\nThird, on older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app as described in (Citation: Felt-PhishingOnMobileDevices) and (Citation: Hassell-ExploitingAndroid). However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.\n\nPlatforms: Android, iOS",
"value": "User Interface Spoofing", "value": "User Interface Spoofing - MOB-T1014",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1014", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1014",
@ -440,7 +440,7 @@
}, },
{ {
"description": "A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.\n\nD. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).\n\nWeinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\nPlatforms: Android, iOS", "description": "A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.\n\nD. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).\n\nWeinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\nPlatforms: Android, iOS",
"value": "Exploit Baseband Vulnerability", "value": "Exploit Baseband Vulnerability - MOB-T1058",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1058", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1058",
@ -458,7 +458,7 @@
}, },
{ {
"description": "On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the <code>ps</code> command, or by examining the <code>/proc</code> directory. Starting in Android version 7, use of the Linux kernel's <code>hidepid</code> feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).\n\nPlatforms: Android", "description": "On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the <code>ps</code> command, or by examining the <code>/proc</code> directory. Starting in Android version 7, use of the Linux kernel's <code>hidepid</code> feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).\n\nPlatforms: Android",
"value": "Process Discovery", "value": "Process Discovery - MOB-T1027",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1027", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1027",
@ -472,7 +472,7 @@
}, },
{ {
"description": "A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.\n\nDetection: The device user can view a list of apps with Device Administrator privilege in the device settings.\n\nPlatforms: Android", "description": "A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.\n\nDetection: The device user can view a list of apps with Device Administrator privilege in the device settings.\n\nPlatforms: Android",
"value": "Abuse Device Administrator Access to Prevent Removal", "value": "Abuse Device Administrator Access to Prevent Removal - MOB-T1004",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1004", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1004",
@ -486,7 +486,7 @@
}, },
{ {
"description": "The application is downloaded from an arbitrary web site. A link to the application's download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS", "description": "The application is downloaded from an arbitrary web site. A link to the application's download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS",
"value": "App Delivered via Web Download", "value": "App Delivered via Web Download - MOB-T1034",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1034", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1034",
@ -502,7 +502,7 @@
}, },
{ {
"description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.\n\nPlatforms: Android, iOS", "description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.\n\nPlatforms: Android, iOS",
"value": "Capture SMS Messages", "value": "Capture SMS Messages - MOB-T1015",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1015" "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1015"
@ -516,7 +516,7 @@
}, },
{ {
"description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android, and we are unaware of any demonstrated use on iOS.\n\nPlatforms: Android", "description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android, and we are unaware of any demonstrated use on iOS.\n\nPlatforms: Android",
"value": "Encrypt Files for Ransom", "value": "Encrypt Files for Ransom - MOB-T1074",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1074", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1074",
@ -530,7 +530,7 @@
}, },
{ {
"description": "An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple's App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).\n\nDetection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store.\n\nPlatforms: iOS", "description": "An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple's App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).\n\nDetection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store.\n\nPlatforms: iOS",
"value": "Abuse of iOS Enterprise App Signing Key", "value": "Abuse of iOS Enterprise App Signing Key - MOB-T1048",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1048", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1048",
@ -545,7 +545,7 @@
}, },
{ {
"description": "On Android, details of onboard network interfaces are accessible to apps through the java.net. (Citation: NetworkInterface) class (Citation: NetworkInterface). The Android (Citation: TelephonyManager) class can be used to gather related information such as the IMSI, IMEI, and phone number (Citation: TelephonyManager).\n\nPlatforms: Android", "description": "On Android, details of onboard network interfaces are accessible to apps through the java.net. (Citation: NetworkInterface) class (Citation: NetworkInterface). The Android (Citation: TelephonyManager) class can be used to gather related information such as the IMSI, IMEI, and phone number (Citation: TelephonyManager).\n\nPlatforms: Android",
"value": "Local Network Configuration Discovery", "value": "Local Network Configuration Discovery - MOB-T1025",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1025", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1025",
@ -560,7 +560,7 @@
}, },
{ {
"description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.\n\nPlatforms: Android, iOS", "description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.\n\nPlatforms: Android, iOS",
"value": "Alternate Network Mediums", "value": "Alternate Network Mediums - MOB-T1041",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1041", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1041",
@ -575,7 +575,7 @@
}, },
{ {
"description": "On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.\n\nPlatforms: Android", "description": "On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.\n\nPlatforms: Android",
"value": "Local Network Connections Discovery", "value": "Local Network Connections Discovery - MOB-T1024",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1024", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1024",
@ -589,7 +589,7 @@
}, },
{ {
"description": "An adversary could make educated guesses of the device lock screen's PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).\n\nPlatforms: Android, iOS", "description": "An adversary could make educated guesses of the device lock screen's PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).\n\nPlatforms: Android, iOS",
"value": "Device Unlock Code Guessing or Brute Force", "value": "Device Unlock Code Guessing or Brute Force - MOB-T1062",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1062", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1062",
@ -604,7 +604,7 @@
}, },
{ {
"description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).\n\nPlatforms: Android", "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).\n\nPlatforms: Android",
"value": "Exploit TEE Vulnerability", "value": "Exploit TEE Vulnerability - MOB-T1008",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1008", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1008",
@ -622,7 +622,7 @@
}, },
{ {
"description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 (Citation: NIST-SP800153). \n\nFor example, Kaspersky describes a threat actor they call DarkHotel that targeted hotel Wi-Fi networks, using them to compromise computers belonging to business executives (Citation: Kaspersky-DarkHotel).\n\nPlatforms: Android, iOS", "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 (Citation: NIST-SP800153). \n\nFor example, Kaspersky describes a threat actor they call DarkHotel that targeted hotel Wi-Fi networks, using them to compromise computers belonging to business executives (Citation: Kaspersky-DarkHotel).\n\nPlatforms: Android, iOS",
"value": "Rogue Wi-Fi Access Points", "value": "Rogue Wi-Fi Access Points - MOB-T1068",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1068", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1068",
@ -639,7 +639,7 @@
}, },
{ {
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.\n\nDetection: Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS", "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.\n\nDetection: Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS",
"value": "Remotely Track Device Without Authorization", "value": "Remotely Track Device Without Authorization - MOB-T1071",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1071", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1071",
@ -655,7 +655,7 @@
}, },
{ {
"description": "An adversary could attempt to spoof a mobile device's biometric authentication mechanism, for example by providing a fake fingerprint as described by SRLabs in (Citation: SRLabs-Fingerprint).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID).\n\nPlatforms: Android, iOS", "description": "An adversary could attempt to spoof a mobile device's biometric authentication mechanism, for example by providing a fake fingerprint as described by SRLabs in (Citation: SRLabs-Fingerprint).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID).\n\nPlatforms: Android, iOS",
"value": "Biometric Spoofing", "value": "Biometric Spoofing - MOB-T1063",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1063", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1063",
@ -671,7 +671,7 @@
}, },
{ {
"description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating as described in draft NIST SP 800-187 (Citation: NIST-SP800187).\n\nPlatforms: Android, iOS", "description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating as described in draft NIST SP 800-187 (Citation: NIST-SP800187).\n\nPlatforms: Android, iOS",
"value": "Jamming or Denial of Service", "value": "Jamming or Denial of Service - MOB-T1067",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1067", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1067",
@ -690,7 +690,7 @@
}, },
{ {
"description": "A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.\n\nPlatforms: Android, iOS", "description": "A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.\n\nPlatforms: Android, iOS",
"value": "Capture Clipboard Data", "value": "Capture Clipboard Data - MOB-T1017",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1017", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1017",
@ -705,7 +705,7 @@
}, },
{ {
"description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"value": "Access Contact List", "value": "Access Contact List - MOB-T1035",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1035", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1035",
@ -720,7 +720,7 @@
}, },
{ {
"description": "An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer's identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).\n\nDetection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.\n\nPlatforms: Android, iOS", "description": "An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer's identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).\n\nDetection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.\n\nPlatforms: Android, iOS",
"value": "Stolen Developer Credentials or Signing Keys", "value": "Stolen Developer Credentials or Signing Keys - MOB-T1044",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1044", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1044",
@ -737,7 +737,7 @@
}, },
{ {
"description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.\n\nDetection: On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.\n\nPlatforms: Android, iOS", "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.\n\nDetection: On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.\n\nPlatforms: Android, iOS",
"value": "Network Traffic Capture or Redirection", "value": "Network Traffic Capture or Redirection - MOB-T1013",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1013", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1013",
@ -752,7 +752,7 @@
}, },
{ {
"description": "An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).\n\nPlatforms: Android, iOS", "description": "An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).\n\nPlatforms: Android, iOS",
"value": "Access Sensitive Data or Credentials in Files", "value": "Access Sensitive Data or Credentials in Files - MOB-T1012",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1012", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1012",
@ -767,7 +767,7 @@
}, },
{ {
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.\n\nThomas Roth describes the potential for placing a rootkit within the TrustZone secure world (Citation: Roth-Rootkits).\n\nDetection: Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.\n\nPlatforms: Android", "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.\n\nThomas Roth describes the potential for placing a rootkit within the TrustZone secure world (Citation: Roth-Rootkits).\n\nDetection: Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.\n\nPlatforms: Android",
"value": "Modify Trusted Execution Environment", "value": "Modify Trusted Execution Environment - MOB-T1002",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1002", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1002",
@ -783,7 +783,7 @@
}, },
{ {
"description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in draft NIST SP 800-187 (Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.\n\nPlatforms: Android, iOS", "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in draft NIST SP 800-187 (Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.\n\nPlatforms: Android, iOS",
"value": "Downgrade to Insecure Protocols", "value": "Downgrade to Insecure Protocols - MOB-T1069",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1069", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1069",
@ -799,7 +799,7 @@
}, },
{ {
"description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.\n\nPlatforms: Android, iOS", "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.\n\nPlatforms: Android, iOS",
"value": "Generate Fraudulent Advertising Revenue", "value": "Generate Fraudulent Advertising Revenue - MOB-T1075",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1075" "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1075"
@ -813,7 +813,7 @@
}, },
{ {
"description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\n (Citation: Zhou) and Jiang (Citation: Zhou) analyzed 1260 Android malware samples belonging to 49 families of malware, and determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.\n\nPlatforms: Android", "description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\n (Citation: Zhou) and Jiang (Citation: Zhou) analyzed 1260 Android malware samples belonging to 49 families of malware, and determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.\n\nPlatforms: Android",
"value": "App Auto-Start at Device Boot", "value": "App Auto-Start at Device Boot - MOB-T1005",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1005", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1005",
@ -827,7 +827,7 @@
}, },
{ {
"description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.\n\nPlatforms: Android, iOS", "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.\n\nPlatforms: Android, iOS",
"value": "Commonly Used Port", "value": "Commonly Used Port - MOB-T1039",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1039" "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1039"
@ -841,7 +841,7 @@
}, },
{ {
"description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).\n\nPlatforms: Android, iOS", "description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).\n\nPlatforms: Android, iOS",
"value": "Manipulate App Store Rankings or Ratings", "value": "Manipulate App Store Rankings or Ratings - MOB-T1055",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1055" "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1055"
@ -855,7 +855,7 @@
}, },
{ {
"description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"value": "Access Calendar Entries", "value": "Access Calendar Entries - MOB-T1038",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1038", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1038",
@ -870,7 +870,7 @@
}, },
{ {
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).\n\nDetection: Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS", "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).\n\nDetection: Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS",
"value": "Remotely Wipe Data Without Authorization", "value": "Remotely Wipe Data Without Authorization - MOB-T1072",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1072", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1072",
@ -887,7 +887,7 @@
}, },
{ {
"description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. These issues are discussed in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security), (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC5-WG10-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS", "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. These issues are discussed in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security), (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC5-WG10-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS",
"value": "Exploit SS7 to Redirect Phone Calls/SMS", "value": "Exploit SS7 to Redirect Phone Calls/SMS - MOB-T1052",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1052", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1052",
@ -906,7 +906,7 @@
}, },
{ {
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.\n\nIf the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.\n\nDetection: The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nSamsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered \"if a non-Knox kernel has been loaded on the device\" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nMany enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise.\n\nPlatforms: Android, iOS", "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.\n\nIf the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.\n\nDetection: The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nSamsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered \"if a non-Knox kernel has been loaded on the device\" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nMany enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise.\n\nPlatforms: Android, iOS",
"value": "Modify OS Kernel or Boot Partition", "value": "Modify OS Kernel or Boot Partition - MOB-T1001",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1001", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1001",
@ -924,7 +924,7 @@
}, },
{ {
"description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions, as demonstrated in a proof of concept created by Skycure (Citation: Skycure-Accessibility).\n\nPlatforms: Android", "description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions, as demonstrated in a proof of concept created by Skycure (Citation: Skycure-Accessibility).\n\nPlatforms: Android",
"value": "Abuse Accessibility Features", "value": "Abuse Accessibility Features - MOB-T1056",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1056", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1056",
@ -938,7 +938,7 @@
}, },
{ {
"description": "Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities.\n\nFor example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n\nPlatforms: Android, iOS", "description": "Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities.\n\nFor example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n\nPlatforms: Android, iOS",
"value": "Insecure Third-Party Libraries", "value": "Insecure Third-Party Libraries - MOB-T1028",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1028", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1028",
@ -954,7 +954,7 @@
}, },
{ {
"description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review (Citation: Poeplau-ExecuteThis). \n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability (Citation: Bromium-AndroidRCE).\n\nOn iOS, techniques for executing dynamic code downloaded after application installation include JSPatch (Citation: FireEye-JSPatch). (Citation: Wang) et al. describe a related method of constructing malicious logic at app runtime on iOS (Citation: Wang).\n\nPlatforms: Android, iOS", "description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review (Citation: Poeplau-ExecuteThis). \n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability (Citation: Bromium-AndroidRCE).\n\nOn iOS, techniques for executing dynamic code downloaded after application installation include JSPatch (Citation: FireEye-JSPatch). (Citation: Wang) et al. describe a related method of constructing malicious logic at app runtime on iOS (Citation: Wang).\n\nPlatforms: Android, iOS",
"value": "Download New Code at Runtime", "value": "Download New Code at Runtime - MOB-T1010",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1010", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1010",
@ -973,7 +973,7 @@
}, },
{ {
"description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices, for example as described in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security) and (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC-WG1-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS", "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices, for example as described in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security) and (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC-WG1-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS",
"value": "Exploit SS7 to Track Device Location", "value": "Exploit SS7 to Track Device Location - MOB-T1053",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1053", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1053",
@ -992,7 +992,7 @@
}, },
{ {
"description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords. Zeltser (Citation: Zeltser-Keyboard) describes these risks.\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n\nPlatforms: Android, iOS", "description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords. Zeltser (Citation: Zeltser-Keyboard) describes these risks.\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n\nPlatforms: Android, iOS",
"value": "Malicious Third Party Keyboard App", "value": "Malicious Third Party Keyboard App - MOB-T1020",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1020", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1020",
@ -1007,7 +1007,7 @@
}, },
{ {
"description": "A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.\n\nPlatforms: Android, iOS", "description": "A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.\n\nPlatforms: Android, iOS",
"value": "Exploit OS Vulnerability", "value": "Exploit OS Vulnerability - MOB-T1007",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1007", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1007",
@ -1022,7 +1022,7 @@
}, },
{ {
"description": "An adversary with control of a target's Google account can use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account as described in (Citation: Oberheide-RemoteInstall), (Citation: Konoth). However, only applications that are available for download through the Google Play Store can be remotely installed using this technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n\nPlatforms: Android", "description": "An adversary with control of a target's Google account can use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account as described in (Citation: Oberheide-RemoteInstall), (Citation: Konoth). However, only applications that are available for download through the Google Play Store can be remotely installed using this technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n\nPlatforms: Android",
"value": "Remotely Install Application", "value": "Remotely Install Application - MOB-T1046",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1046", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1046",
@ -1038,7 +1038,7 @@
}, },
{ {
"description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. If an adversary can escalate privileges, he or she may be able to use those privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.\n\nSabanal describes the potential use of this technique in (Citation: Sabanal-ART).\n\nPlatforms: Android", "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. If an adversary can escalate privileges, he or she may be able to use those privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.\n\nSabanal describes the potential use of this technique in (Citation: Sabanal-ART).\n\nPlatforms: Android",
"value": "Modify cached executable code", "value": "Modify cached executable code - MOB-T1006",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1006", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1006",
@ -1052,7 +1052,7 @@
}, },
{ {
"description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device as described by Kurtz (Citation: Kurtz-MaliciousiOSApps), however use of private API calls will likely prevent the application from being distributed through Apple's App Store.\n\nPlatforms: Android, iOS", "description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device as described by Kurtz (Citation: Kurtz-MaliciousiOSApps), however use of private API calls will likely prevent the application from being distributed through Apple's App Store.\n\nPlatforms: Android, iOS",
"value": "Application Discovery", "value": "Application Discovery - MOB-T1021",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1021", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1021",
@ -1068,7 +1068,7 @@
}, },
{ {
"description": "Techniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lock screen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.\n\nPlatforms: Android, iOS", "description": "Techniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lock screen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.\n\nPlatforms: Android, iOS",
"value": "Lockscreen Bypass", "value": "Lockscreen Bypass - MOB-T1064",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1064", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1064",
@ -1084,7 +1084,7 @@
}, },
{ {
"description": "An adversary could convince the mobile network operator (e.g. through social networking or forged identification) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts (Citation: Guardian-Simswap).\n\nPlatforms: Android, iOS", "description": "An adversary could convince the mobile network operator (e.g. through social networking or forged identification) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts (Citation: Guardian-Simswap).\n\nPlatforms: Android, iOS",
"value": "SIM Card Swap", "value": "SIM Card Swap - MOB-T1054",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1054", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1054",
@ -1102,7 +1102,7 @@
}, },
{ {
"description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", "description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"value": "Location Tracking", "value": "Location Tracking - MOB-T1033",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1033", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1033",
@ -1117,7 +1117,7 @@
}, },
{ {
"description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.\n\nKrebs described this technique in (Citation: Krebs-JuiceJacking). Lau et al. (Citation: Lau-Mactans) demonstrated the ability to inject malicious applications into an iOS device via USB. Hay (Citation: IBM-NexusUSB) demonstrated the ability to exploit a Nexus 6 or 6P device over USB and then gain the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.\n\nPlatforms: Android, iOS", "description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.\n\nKrebs described this technique in (Citation: Krebs-JuiceJacking). Lau et al. (Citation: Lau-Mactans) demonstrated the ability to inject malicious applications into an iOS device via USB. Hay (Citation: IBM-NexusUSB) demonstrated the ability to exploit a Nexus 6 or 6P device over USB and then gain the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.\n\nPlatforms: Android, iOS",
"value": "Exploit via Charging Station or PC", "value": "Exploit via Charging Station or PC - MOB-T1061",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1061", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1061",
@ -1135,7 +1135,7 @@
}, },
{ {
"description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks (Citation: FireEye-SSL).\n\nPlatforms: Android, iOS", "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks (Citation: FireEye-SSL).\n\nPlatforms: Android, iOS",
"value": "Manipulate Device Communication", "value": "Manipulate Device Communication - MOB-T1066",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1066", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1066",
@ -1151,7 +1151,7 @@
}, },
{ {
"description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 (Citation: Computerworld-Femtocell).\n\nPlatforms: Android, iOS", "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 (Citation: Computerworld-Femtocell).\n\nPlatforms: Android, iOS",
"value": "Rogue Cellular Base Station", "value": "Rogue Cellular Base Station - MOB-T1070",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1070", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1070",
@ -1167,7 +1167,7 @@
}, },
{ {
"description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app, for example as described by (Citation: Zhou) and Jiang in (Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS", "description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app, for example as described by (Citation: Zhou) and Jiang in (Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS",
"value": "Repackaged Application", "value": "Repackaged Application - MOB-T1047",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1047", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1047",
@ -1183,7 +1183,7 @@
}, },
{ {
"description": "An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to lock the user out of the device.\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been demonstrated that can lock the user out of the device (Citation: KeyRaider).\n\nPlatforms: Android, iOS", "description": "An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to lock the user out of the device.\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been demonstrated that can lock the user out of the device (Citation: KeyRaider).\n\nPlatforms: Android, iOS",
"value": "Lock User Out of Device", "value": "Lock User Out of Device - MOB-T1049",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1049", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1049",
@ -1199,7 +1199,7 @@
}, },
{ {
"description": "As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.\n\nDetection: Enterprises could deploy integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.\n\nPlatforms: Android, iOS", "description": "As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.\n\nDetection: Enterprises could deploy integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.\n\nPlatforms: Android, iOS",
"value": "Malicious Software Development Tools", "value": "Malicious Software Development Tools - MOB-T1065",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1065", "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1065",

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - Course of Action", "name": "Mobile Attack - Course of Action",
"type": "mitre-mobile-attack-course-of-action", "type": "mitre-mobile-attack-course-of-action",
"description": "ATT&CK Mitigation", "description": "ATT&CK Mitigation",
"version": 1, "version": 2,
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
"uuid": "03956f9e-1708-11e8-8395-976b24233e15", "uuid": "03956f9e-1708-11e8-8395-976b24233e15",
"authors": [ "authors": [
@ -11,72 +11,72 @@
"values": [ "values": [
{ {
"description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.", "description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.",
"value": "Deploy Compromised Device Detection Method", "value": "Deploy Compromised Device Detection Method - MOB-M1010",
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433" "uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433"
}, },
{ {
"description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).", "description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
"value": "Interconnection Filtering", "value": "Interconnection Filtering - MOB-M1014",
"uuid": "e829ee51-1caf-4665-ba15-7f8979634124" "uuid": "e829ee51-1caf-4665-ba15-7f8979634124"
}, },
{ {
"description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.", "description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.",
"value": "Use Device-Provided Credential Storage", "value": "Use Device-Provided Credential Storage - MOB-M1008",
"uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c" "uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c"
}, },
{ {
"description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.",
"value": "Use Recent OS Version", "value": "Use Recent OS Version - MOB-M1006",
"uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564" "uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564"
}, },
{ {
"description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n* On Android devices, access can be controlled based on each device's security patch level.\n* On iOS devices, access can be controlled based on the iOS version.", "description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n* On Android devices, access can be controlled based on each device's security patch level.\n* On iOS devices, access can be controlled based on the iOS version.",
"value": "Security Updates", "value": "Security Updates - MOB-M1001",
"uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d" "uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d"
}, },
{ {
"description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.", "description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.",
"value": "Lock Bootloader", "value": "Lock Bootloader - MOB-M1003",
"uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58" "uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58"
}, },
{ {
"description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.", "description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.",
"value": "System Partition Integrity", "value": "System Partition Integrity - MOB-M1004",
"uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321" "uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321"
}, },
{ {
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
"value": "Attestation", "value": "Attestation - MOB-M1002",
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c" "uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c"
}, },
{ {
"description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.", "description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
"value": "Caution with Device Administrator Access", "value": "Caution with Device Administrator Access - MOB-M1007",
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9" "uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9"
}, },
{ {
"description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
"value": "Application Developer Guidance", "value": "Application Developer Guidance - MOB-M1013",
"uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1" "uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1"
}, },
{ {
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as Detect App Analysis Environment exist that can enable adversaries to bypass vetting.", "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as Detect App Analysis Environment exist that can enable adversaries to bypass vetting.",
"value": "Application Vetting", "value": "Application Vetting - MOB-M1005",
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d" "uuid": "1553b156-6767-47f7-9eb4-2a692505666d"
}, },
{ {
"description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.",
"value": "User Guidance", "value": "User Guidance - MOB-M1011",
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1" "uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1"
}, },
{ {
"description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.", "description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.",
"value": "Enterprise Policy", "value": "Enterprise Policy - MOB-M1012",
"uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee" "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee"
}, },
{ {
"description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.", "description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.",
"value": "Encrypt Network Traffic", "value": "Encrypt Network Traffic - MOB-M1009",
"uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8" "uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8"
} }
] ]

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - intrusion Set", "name": "Mobile Attack - intrusion Set",
"type": "mitre-mobile-attack-intrusion-set", "type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"version": 1, "version": 2,
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
"uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53", "uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53",
"authors": [ "authors": [
@ -11,7 +11,7 @@
"values": [ "values": [
{ {
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)", "description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28", "value": "APT28 - G0007",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT28", "APT28",

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - Malware", "name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware", "type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"version": 1, "version": 2,
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
"uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f", "uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f",
"authors": [ "authors": [
@ -11,7 +11,7 @@
"values": [ "values": [
{ {
"description": "AndroRAT \"allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.\" (Citation: Lookout-EnterpriseApps)\n\nAliases: AndroRAT", "description": "AndroRAT \"allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.\" (Citation: Lookout-EnterpriseApps)\n\nAliases: AndroRAT",
"value": "AndroRAT", "value": "AndroRAT - MOB-S0008",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0008", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0008",
@ -25,7 +25,7 @@
}, },
{ {
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.Agent.ao", "description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.Agent.ao",
"value": "Trojan-SMS.AndroidOS.Agent.ao", "value": "Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0023", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0023",
@ -39,7 +39,7 @@
}, },
{ {
"description": "DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB (Citation: PaloAlto-DualToy).\n\nAliases: DualToy", "description": "DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB (Citation: PaloAlto-DualToy).\n\nAliases: DualToy",
"value": "DualToy", "value": "DualToy - MOB-S0031",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0031" "https://attack.mitre.org/mobile/index.php/Software/MOB-S0031"
@ -52,7 +52,7 @@
}, },
{ {
"description": "On jailbroken iOS devices, (Citation: KeyRaider) steals Apple account credentials and other data. It \"also has built-in functionality to hold iOS devices for ransom.\" (Citation: KeyRaider)\n\nAliases: (Citation: KeyRaider)", "description": "On jailbroken iOS devices, (Citation: KeyRaider) steals Apple account credentials and other data. It \"also has built-in functionality to hold iOS devices for ransom.\" (Citation: KeyRaider)\n\nAliases: (Citation: KeyRaider)",
"value": "KeyRaider", "value": "KeyRaider - MOB-S0004",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0004", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0004",
@ -66,7 +66,7 @@
}, },
{ {
"description": "Brain Test is a family of Android malware described by CheckPoint (Citation: CheckPoint-BrainTest) and Lookout (Citation: Lookout-BrainTest).\n\nAliases: BrainTest", "description": "Brain Test is a family of Android malware described by CheckPoint (Citation: CheckPoint-BrainTest) and Lookout (Citation: Lookout-BrainTest).\n\nAliases: BrainTest",
"value": "BrainTest", "value": "BrainTest - MOB-S0009",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0009", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0009",
@ -81,7 +81,7 @@
}, },
{ {
"description": "Lookout states that some variants of the Shedun, Shuanet, and ShiftyBug/Kemoge Android malware families \"have 71 percent to 82 percent code similarity\" (Citation: Lookout-Adware), even though they \"dont believe these apps were all created by the same author or group\".\n\nAliases: Shedun, Shuanet, ShiftyBug, Kemoge", "description": "Lookout states that some variants of the Shedun, Shuanet, and ShiftyBug/Kemoge Android malware families \"have 71 percent to 82 percent code similarity\" (Citation: Lookout-Adware), even though they \"dont believe these apps were all created by the same author or group\".\n\nAliases: Shedun, Shuanet, ShiftyBug, Kemoge",
"value": "Shedun", "value": "Shedun - MOB-S0010",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0010", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0010",
@ -98,7 +98,7 @@
}, },
{ {
"description": "Android malware family analyzed by Trend Micro (Citation: TrendMicro-DressCode)\n\nAliases: DressCode", "description": "Android malware family analyzed by Trend Micro (Citation: TrendMicro-DressCode)\n\nAliases: DressCode",
"value": "DressCode", "value": "DressCode - MOB-S0016",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0016", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0016",
@ -112,7 +112,7 @@
}, },
{ {
"description": "Adups, software pre-installed onto Android devices including those made by BLU Products, reportedly transmitted sensitive data to a Chinese server. The capability was reportedly designed \"to help a Chinese phone manufacturer monitor user behavior\" and \"was not intended for American phones\". (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor).\n\nAliases: Adups", "description": "Adups, software pre-installed onto Android devices including those made by BLU Products, reportedly transmitted sensitive data to a Chinese server. The capability was reportedly designed \"to help a Chinese phone manufacturer monitor user behavior\" and \"was not intended for American phones\". (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor).\n\nAliases: Adups",
"value": "Adups", "value": "Adups - MOB-S0025",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0025", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0025",
@ -127,7 +127,7 @@
}, },
{ {
"description": "Discovered by Lookout (Citation: Lookout-Pegasus) and Citizen Lab (Citation: PegasusCitizenLab), Pegasus escalates privileges on iOS devices and uses its privileged access to collect a variety of sensitive information.\n\nAliases: Pegasus", "description": "Discovered by Lookout (Citation: Lookout-Pegasus) and Citizen Lab (Citation: PegasusCitizenLab), Pegasus escalates privileges on iOS devices and uses its privileged access to collect a variety of sensitive information.\n\nAliases: Pegasus",
"value": "Pegasus", "value": "Pegasus - MOB-S0005",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0005", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0005",
@ -142,7 +142,7 @@
}, },
{ {
"description": "RuMMS is a family of Android malware (Citation: FireEye-RuMMS).\n\nAliases: RuMMS", "description": "RuMMS is a family of Android malware (Citation: FireEye-RuMMS).\n\nAliases: RuMMS",
"value": "RuMMS", "value": "RuMMS - MOB-S0029",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0029", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0029",
@ -156,7 +156,7 @@
}, },
{ {
"description": "HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android (Citation: ArsTechnica-HummingBad).\n\nAliases: HummingBad", "description": "HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android (Citation: ArsTechnica-HummingBad).\n\nAliases: HummingBad",
"value": "HummingBad", "value": "HummingBad - MOB-S0038",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0038", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0038",
@ -170,7 +170,7 @@
}, },
{ {
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.OpFake.a", "description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.OpFake.a",
"value": "Trojan-SMS.AndroidOS.OpFake.a", "value": "Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0024", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0024",
@ -184,7 +184,7 @@
}, },
{ {
"description": "Android malware family analyzed by Lookout (Citation: Lookout-Dendroid).\n\nAliases: Dendroid", "description": "Android malware family analyzed by Lookout (Citation: Lookout-Dendroid).\n\nAliases: Dendroid",
"value": "Dendroid", "value": "Dendroid - MOB-S0017",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0017", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0017",
@ -198,7 +198,7 @@
}, },
{ {
"description": "Android malware analyzed by Scandinavian security group CSIS as described in a Tripwire post (Citation: Tripwire-MazarBOT).\n\nAliases: MazarBOT", "description": "Android malware analyzed by Scandinavian security group CSIS as described in a Tripwire post (Citation: Tripwire-MazarBOT).\n\nAliases: MazarBOT",
"value": "MazarBOT", "value": "MazarBOT - MOB-S0019",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0019", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0019",
@ -212,7 +212,7 @@
}, },
{ {
"description": "The (Citation: Gooligan) malware family, revealed by Check Point, runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal \"authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.\" (Citation: Gooligan)\n\nGoogle (Citation: Ludwig-GhostPush) and LookoutLookout- (Citation: Gooligan) describe (Citation: Gooligan) as part of the Ghost Push Android malware family.\n\nAliases: (Citation: Gooligan)", "description": "The (Citation: Gooligan) malware family, revealed by Check Point, runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal \"authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.\" (Citation: Gooligan)\n\nGoogle (Citation: Ludwig-GhostPush) and LookoutLookout- (Citation: Gooligan) describe (Citation: Gooligan) as part of the Ghost Push Android malware family.\n\nAliases: (Citation: Gooligan)",
"value": "Gooligan", "value": "Gooligan - MOB-S0006",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0006", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0006",
@ -227,7 +227,7 @@
}, },
{ {
"description": "OldBoot is a family of Android malware described in a report from The Hacker News (Citation: HackerNews-OldBoot).\n\nAliases: OldBoot", "description": "OldBoot is a family of Android malware described in a report from The Hacker News (Citation: HackerNews-OldBoot).\n\nAliases: OldBoot",
"value": "OldBoot", "value": "OldBoot - MOB-S0001",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0001", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0001",
@ -241,7 +241,7 @@
}, },
{ {
"description": "WireLurker is a family of macOS malware that targets iOS devices connected over USB (Citation: PaloAlto-WireLurker).\n\nAliases: WireLurker", "description": "WireLurker is a family of macOS malware that targets iOS devices connected over USB (Citation: PaloAlto-WireLurker).\n\nAliases: WireLurker",
"value": "WireLurker", "value": "WireLurker - MOB-S0028",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0028" "https://attack.mitre.org/mobile/index.php/Software/MOB-S0028"
@ -254,7 +254,7 @@
}, },
{ {
"description": "Android remote access trojan (RAT) that has been observed to pose as legitimate applications including the Super Mario Run (Citation: Zscaler-SuperMarioRun) and Pokemon GO games (Citation: Proofpoint-Droidjack).\n\nAliases: DroidJack RAT", "description": "Android remote access trojan (RAT) that has been observed to pose as legitimate applications including the Super Mario Run (Citation: Zscaler-SuperMarioRun) and Pokemon GO games (Citation: Proofpoint-Droidjack).\n\nAliases: DroidJack RAT",
"value": "DroidJack RAT", "value": "DroidJack RAT - MOB-S0036",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0036", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0036",
@ -269,7 +269,7 @@
}, },
{ {
"description": "The HummingWhale Android malware family \"includes new virtual machine techniques that allow the malware to perform ad fraud better than ever\". (Citation: ArsTechnica-HummingWhale)\n\nAliases: HummingWhale", "description": "The HummingWhale Android malware family \"includes new virtual machine techniques that allow the malware to perform ad fraud better than ever\". (Citation: ArsTechnica-HummingWhale)\n\nAliases: HummingWhale",
"value": "HummingWhale", "value": "HummingWhale - MOB-S0037",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0037", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0037",
@ -283,7 +283,7 @@
}, },
{ {
"description": "ANDROIDOS_ANSERVER.A is Android malware novel for using encrypted content within a blog site for command and control (Citation: TrendMicro-Anserver).\n\nAliases: ANDROIDOS_ANSERVER.A", "description": "ANDROIDOS_ANSERVER.A is Android malware novel for using encrypted content within a blog site for command and control (Citation: TrendMicro-Anserver).\n\nAliases: ANDROIDOS_ANSERVER.A",
"value": "ANDROIDOS_ANSERVER.A", "value": "ANDROIDOS_ANSERVER.A - MOB-S0026",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0026", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0026",
@ -297,7 +297,7 @@
}, },
{ {
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.FakeInst.a", "description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.FakeInst.a",
"value": "Trojan-SMS.AndroidOS.FakeInst.a", "value": "Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0022", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0022",
@ -311,7 +311,7 @@
}, },
{ {
"description": "Android malware family analyzed by Lookout (Citation: Lookout-NotCompatible)\n\nAliases: NotCompatible", "description": "Android malware family analyzed by Lookout (Citation: Lookout-NotCompatible)\n\nAliases: NotCompatible",
"value": "NotCompatible", "value": "NotCompatible - MOB-S0015",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0015", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0015",
@ -325,7 +325,7 @@
}, },
{ {
"description": "The X-Agent Android malware was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data for where it was used and hence the potential location of Ukrainian artillery (Citation: CrowdStrike-Android).\n\nAliases: X-Agent", "description": "The X-Agent Android malware was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data for where it was used and hence the potential location of Ukrainian artillery (Citation: CrowdStrike-Android).\n\nAliases: X-Agent",
"value": "X-Agent", "value": "X-Agent - MOB-S0030",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0030", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0030",
@ -339,7 +339,7 @@
}, },
{ {
"description": "Twitoor is a family of Android malware described by ESET (Citation: ESET-Twitoor).\n\nAliases: Twitoor", "description": "Twitoor is a family of Android malware described by ESET (Citation: ESET-Twitoor).\n\nAliases: Twitoor",
"value": "Twitoor", "value": "Twitoor - MOB-S0018",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0018", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0018",
@ -353,7 +353,7 @@
}, },
{ {
"description": "OBAD is a family of Android malware (Citation: TrendMicro-Obad).\n\nAliases: OBAD", "description": "OBAD is a family of Android malware (Citation: TrendMicro-Obad).\n\nAliases: OBAD",
"value": "OBAD", "value": "OBAD - MOB-S0002",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0002", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0002",
@ -367,7 +367,7 @@
}, },
{ {
"description": "As reported by Kaspersky (Citation: Kaspersky-WUC), a spear phishing message was sent to activist groups containing a malicious Android application as an attachment.\n\nAliases: Android/Chuli.A", "description": "As reported by Kaspersky (Citation: Kaspersky-WUC), a spear phishing message was sent to activist groups containing a malicious Android application as an attachment.\n\nAliases: Android/Chuli.A",
"value": "Android/Chuli.A", "value": "Android/Chuli.A - MOB-S0020",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0020", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0020",
@ -381,7 +381,7 @@
}, },
{ {
"description": "According to Lookout (Citation: Lookout-EnterpriseApps), the PJApps Android malware family \"may collect and leak the victims phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.\"\n\nAliases: PJApps", "description": "According to Lookout (Citation: Lookout-EnterpriseApps), the PJApps Android malware family \"may collect and leak the victims phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.\"\n\nAliases: PJApps",
"value": "PJApps", "value": "PJApps - MOB-S0007",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0007", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0007",
@ -395,7 +395,7 @@
}, },
{ {
"description": "Android malware analyzed by FireEye (Citation: FireEye-AndroidOverlay).\nAccording to their analysis, \"three campaigns in Europe used view overlay techniques...to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.\"\n\nAliases: AndroidOverlayMalware", "description": "Android malware analyzed by FireEye (Citation: FireEye-AndroidOverlay).\nAccording to their analysis, \"three campaigns in Europe used view overlay techniques...to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.\"\n\nAliases: AndroidOverlayMalware",
"value": "AndroidOverlayMalware", "value": "AndroidOverlayMalware - MOB-S0012",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0012", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0012",
@ -409,7 +409,7 @@
}, },
{ {
"description": "As described by Palo Alto Networks (Citation: ZergHelper), the (Citation: ZergHelper) app uses techniques to evade Apple's App Store review process for itself and uses techniques to install additional applications that are not in Apple's App Store.\n\nAliases: (Citation: ZergHelper)", "description": "As described by Palo Alto Networks (Citation: ZergHelper), the (Citation: ZergHelper) app uses techniques to evade Apple's App Store review process for itself and uses techniques to install additional applications that are not in Apple's App Store.\n\nAliases: (Citation: ZergHelper)",
"value": "ZergHelper", "value": "ZergHelper - MOB-S0003",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0003", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0003",
@ -423,7 +423,7 @@
}, },
{ {
"description": "SpyNote RAT (Citation: Zscaler-SpyNote) (Remote Access Trojan) is a family of malicious Android apps. The \"SpyNote RAT builder\" tool can be used to develop malicious apps with the SpyNote RAT functionality.\n\nAliases: SpyNote RAT", "description": "SpyNote RAT (Citation: Zscaler-SpyNote) (Remote Access Trojan) is a family of malicious Android apps. The \"SpyNote RAT builder\" tool can be used to develop malicious apps with the SpyNote RAT functionality.\n\nAliases: SpyNote RAT",
"value": "SpyNote RAT", "value": "SpyNote RAT - MOB-S0021",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0021", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0021",
@ -437,7 +437,7 @@
}, },
{ {
"description": " (Citation: RCSAndroid) (Citation: RCSAndroid) is Android malware allegedly distributed by Hacking Team.\n\nAliases: (Citation: RCSAndroid)", "description": " (Citation: RCSAndroid) (Citation: RCSAndroid) is Android malware allegedly distributed by Hacking Team.\n\nAliases: (Citation: RCSAndroid)",
"value": "RCSAndroid", "value": "RCSAndroid - MOB-S0011",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0011", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0011",
@ -451,7 +451,7 @@
}, },
{ {
"description": "The Charger Android malware steals \"steals contacts and SMS messages from the user's device\". It also \"asks for admin permissions\" and \"[i]f granted, the ransomware locks the device and displays a message demanding payment\". (Citation: CheckPoint-Charger)\n\nAliases: Charger", "description": "The Charger Android malware steals \"steals contacts and SMS messages from the user's device\". It also \"asks for admin permissions\" and \"[i]f granted, the ransomware locks the device and displays a message demanding payment\". (Citation: CheckPoint-Charger)\n\nAliases: Charger",
"value": "Charger", "value": "Charger - MOB-S0039",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0039", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0039",
@ -465,7 +465,7 @@
}, },
{ {
"description": "iOS malware that \"is different from previous seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices\" and \"abuses private APIs in the iOS system to implement malicious functionalities\" (Citation: PaloAlto-YiSpecter).\n\nAliases: YiSpecter", "description": "iOS malware that \"is different from previous seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices\" and \"abuses private APIs in the iOS system to implement malicious functionalities\" (Citation: PaloAlto-YiSpecter).\n\nAliases: YiSpecter",
"value": "YiSpecter", "value": "YiSpecter - MOB-S0027",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0027" "https://attack.mitre.org/mobile/index.php/Software/MOB-S0027"
@ -478,7 +478,7 @@
}, },
{ {
"description": "Discovered and analyzed by Lookout (Citation: Lookout-PegasusAndroid) and Google (Citation: Google-Chrysaor), Pegasus for Android (also known as Chrysaor) is spyware that was used in targeted attacks. Pegasus for Android does not use zero day vulnerabilities. It attempts to escalate privileges using well-known vulnerabilities, and even if the attempts fail, it still performs some subset of spyware functions that do not require escalated privileges.\n\nAliases: Pegasus for Android, Chrysaor", "description": "Discovered and analyzed by Lookout (Citation: Lookout-PegasusAndroid) and Google (Citation: Google-Chrysaor), Pegasus for Android (also known as Chrysaor) is spyware that was used in targeted attacks. Pegasus for Android does not use zero day vulnerabilities. It attempts to escalate privileges using well-known vulnerabilities, and even if the attempts fail, it still performs some subset of spyware functions that do not require escalated privileges.\n\nAliases: Pegasus for Android, Chrysaor",
"value": "Pegasus for Android", "value": "Pegasus for Android - MOB-S0032",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0032", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0032",
@ -494,7 +494,7 @@
}, },
{ {
"description": "iOS malware analyzed by Palo Alto Networks (Citation: (Citation: PaloAlto-XcodeGhost)1) (Citation: PaloAlto-XcodeGhost)\n\nAliases: XcodeGhost", "description": "iOS malware analyzed by Palo Alto Networks (Citation: (Citation: PaloAlto-XcodeGhost)1) (Citation: PaloAlto-XcodeGhost)\n\nAliases: XcodeGhost",
"value": "XcodeGhost", "value": "XcodeGhost - MOB-S0013",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0013", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0013",

File diff suppressed because it is too large Load diff

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - Tool", "name": "Mobile Attack - Tool",
"type": "mitre-mobile-attack-tool", "type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"version": 1, "version": 2,
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
"uuid": "02cee87e-1708-11e8-8f15-8b33e4d6194b", "uuid": "02cee87e-1708-11e8-8f15-8b33e4d6194b",
"authors": [ "authors": [
@ -11,7 +11,7 @@
"values": [ "values": [
{ {
"description": "Xbot is a family of Android malware analyzed by Palo Alto Networks (Citation: PaloAlto-Xbot) that \"tries to steal victims' banking credentials and credit card information\", \"can also remotely lock infected Android devices, encrypt the user's files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom\" and \"will steal all SMS message and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.\"\n\nAliases: Xbot", "description": "Xbot is a family of Android malware analyzed by Palo Alto Networks (Citation: PaloAlto-Xbot) that \"tries to steal victims' banking credentials and credit card information\", \"can also remotely lock infected Android devices, encrypt the user's files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom\" and \"will steal all SMS message and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.\"\n\nAliases: Xbot",
"value": "Xbot", "value": "Xbot - MOB-S0014",
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0014", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0014",

File diff suppressed because it is too large Load diff

View file

@ -2,7 +2,7 @@
"name": "Pre Attack - intrusion Set", "name": "Pre Attack - intrusion Set",
"type": "mitre-pre-attack-intrusion-set", "type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"version": 1, "version": 2,
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
"uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f", "uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f",
"authors": [ "authors": [
@ -11,7 +11,7 @@
"values": [ "values": [
{ {
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)", "description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)",
"value": "APT16", "value": "APT16 - G0023",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT16" "APT16"
@ -25,7 +25,7 @@
}, },
{ {
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)", "description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28", "value": "APT28 - G0007",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT28", "APT28",
@ -49,7 +49,7 @@
}, },
{ {
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)", "description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)",
"value": "Cleaver", "value": "Cleaver - G0003",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Cleaver", "Cleaver",
@ -66,7 +66,7 @@
}, },
{ {
"description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)", "description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)",
"value": "APT12", "value": "APT12 - G0005",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT12", "APT12",
@ -84,7 +84,7 @@
}, },
{ {
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", "description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1", "value": "APT1 - G0006",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT1", "APT1",
@ -101,7 +101,7 @@
}, },
{ {
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)", "description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)",
"value": "Night Dragon", "value": "Night Dragon - G0014",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Night Dragon" "Night Dragon"
@ -115,7 +115,7 @@
}, },
{ {
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)", "description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)",
"value": "APT17", "value": "APT17 - G0025",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"APT17", "APT17",

View file

@ -1,13 +1,8 @@
{ {
"name": "Pre Attack - Relationship",
"type": "mitre-pre-attack-relationship",
"description": "MITRE Relationship",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "1ffd3108-1708-11e8-9f98-67b378d9094c", "uuid": "1ffd3108-1708-11e8-9f98-67b378d9094c",
"authors": [ "description": "MITRE Relationship",
"MITRE" "source": "https://github.com/mitre/cti",
], "version": 2,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -15,7 +10,7 @@
"target-uuid": "58d0b955-ae3d-424a-a537-2804dab38793" "target-uuid": "58d0b955-ae3d-424a-a537-2804dab38793"
}, },
"uuid": "1eed277b-a2a7-43f9-bf12-6e30abf0841a", "uuid": "1eed277b-a2a7-43f9-bf12-6e30abf0841a",
"value": "APT28 uses Unconditional client-side exploitation/Injected Website/Driveby" "value": "APT28 (G0007) uses Unconditional client-side exploitation/Injected Website/Driveby (PRE-T1149)"
}, },
{ {
"meta": { "meta": {
@ -23,7 +18,7 @@
"target-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33" "target-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33"
}, },
"uuid": "4a69750c-47d5-40f5-b753-c6bb2a27a359", "uuid": "4a69750c-47d5-40f5-b753-c6bb2a27a359",
"value": "Friend/Follow/Connect to targets of interest related-to Friend/Follow/Connect to targets of interest" "value": "Friend/Follow/Connect to targets of interest (PRE-T1141) related-to Friend/Follow/Connect to targets of interest (PRE-T1121)"
}, },
{ {
"meta": { "meta": {
@ -31,7 +26,7 @@
"target-uuid": "15ef4da5-3b93-4bb1-a39a-5396661956d3" "target-uuid": "15ef4da5-3b93-4bb1-a39a-5396661956d3"
}, },
"uuid": "2b6a71e4-e5d5-41d2-a193-9a95c94dc924", "uuid": "2b6a71e4-e5d5-41d2-a193-9a95c94dc924",
"value": "APT1 uses Build and configure delivery systems" "value": "APT1 (G0006) uses Build and configure delivery systems (PRE-T1124)"
}, },
{ {
"meta": { "meta": {
@ -39,7 +34,7 @@
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
}, },
"uuid": "57723021-1eb3-4bf2-86eb-fdbf8a1b8125", "uuid": "57723021-1eb3-4bf2-86eb-fdbf8a1b8125",
"value": "Night Dragon uses Spear phishing messages with malicious attachments" "value": "Night Dragon (G0014) uses Spear phishing messages with malicious attachments (PRE-T1144)"
}, },
{ {
"meta": { "meta": {
@ -47,7 +42,7 @@
"target-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92" "target-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92"
}, },
"uuid": "a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0", "uuid": "a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0",
"value": "Night Dragon uses Remote access tool development" "value": "Night Dragon (G0014) uses Remote access tool development (PRE-T1128)"
}, },
{ {
"meta": { "meta": {
@ -55,7 +50,7 @@
"target-uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92" "target-uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92"
}, },
"uuid": "307e24f8-4d7c-49a8-88f6-fb0a99fe8ff4", "uuid": "307e24f8-4d7c-49a8-88f6-fb0a99fe8ff4",
"value": "APT16 uses Assess targeting options" "value": "APT16 (G0023) uses Assess targeting options (PRE-T1073)"
}, },
{ {
"meta": { "meta": {
@ -63,7 +58,7 @@
"target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" "target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc"
}, },
"uuid": "2dbdcf5e-af75-4f92-b4ad-942a06aab259", "uuid": "2dbdcf5e-af75-4f92-b4ad-942a06aab259",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies" "value": "Analyze organizational skillsets and deficiencies (PRE-T1077) related-to Analyze organizational skillsets and deficiencies (PRE-T1066)"
}, },
{ {
"meta": { "meta": {
@ -71,7 +66,7 @@
"target-uuid": "f4c5d1d9-8f0e-46f1-a9fa-f9a440926046" "target-uuid": "f4c5d1d9-8f0e-46f1-a9fa-f9a440926046"
}, },
"uuid": "9af7194c-1eea-4aef-bab1-49bd29be069c", "uuid": "9af7194c-1eea-4aef-bab1-49bd29be069c",
"value": "APT1 uses Confirmation of launched compromise achieved" "value": "APT1 (G0006) uses Confirmation of launched compromise achieved (PRE-T1160)"
}, },
{ {
"meta": { "meta": {
@ -79,7 +74,7 @@
"target-uuid": "89a79d91-53e0-4ef5-ba28-558cb8b01f76" "target-uuid": "89a79d91-53e0-4ef5-ba28-558cb8b01f76"
}, },
"uuid": "f6dd74d9-ed02-4fe4-aff6-9ef25906592f", "uuid": "f6dd74d9-ed02-4fe4-aff6-9ef25906592f",
"value": "Night Dragon uses Identify groups/roles" "value": "Night Dragon (G0014) uses Identify groups/roles (PRE-T1047)"
}, },
{ {
"meta": { "meta": {
@ -87,7 +82,7 @@
"target-uuid": "271e6d40-e191-421a-8f87-a8102452c201" "target-uuid": "271e6d40-e191-421a-8f87-a8102452c201"
}, },
"uuid": "614f64d8-c221-4789-b1e1-787e9326a37b", "uuid": "614f64d8-c221-4789-b1e1-787e9326a37b",
"value": "APT17 uses Develop social network persona digital footprint" "value": "APT17 (G0025) uses Develop social network persona digital footprint (PRE-T1119)"
}, },
{ {
"meta": { "meta": {
@ -95,7 +90,7 @@
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
}, },
"uuid": "84943231-1b44-4029-ae09-0dbf05440bef", "uuid": "84943231-1b44-4029-ae09-0dbf05440bef",
"value": "APT1 uses Spear phishing messages with malicious attachments" "value": "APT1 (G0006) uses Spear phishing messages with malicious attachments (PRE-T1144)"
}, },
{ {
"meta": { "meta": {
@ -103,7 +98,7 @@
"target-uuid": "d3999268-740f-467e-a075-c82e2d04be62" "target-uuid": "d3999268-740f-467e-a075-c82e2d04be62"
}, },
"uuid": "51d03816-347c-4716-9524-da99a58f5ea6", "uuid": "51d03816-347c-4716-9524-da99a58f5ea6",
"value": "APT1 uses Assess leadership areas of interest" "value": "APT1 (G0006) uses Assess leadership areas of interest (PRE-T1001)"
}, },
{ {
"meta": { "meta": {
@ -111,7 +106,7 @@
"target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1" "target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1"
}, },
"uuid": "ad510f42-e745-42d0-8b54-4bf7a2f3cf34", "uuid": "ad510f42-e745-42d0-8b54-4bf7a2f3cf34",
"value": "Conduct social engineering related-to Conduct social engineering" "value": "Conduct social engineering (PRE-T1045) related-to Conduct social engineering (PRE-T1026)"
}, },
{ {
"meta": { "meta": {
@ -119,7 +114,7 @@
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" "target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
}, },
"uuid": "ab356c7a-6922-4143-90eb-5be632e2f6cd", "uuid": "ab356c7a-6922-4143-90eb-5be632e2f6cd",
"value": "Cleaver uses Build social network persona" "value": "Cleaver (G0003) uses Build social network persona (PRE-T1118)"
}, },
{ {
"meta": { "meta": {
@ -127,7 +122,7 @@
"target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407" "target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407"
}, },
"uuid": "ab313887-ff00-4aa9-8edb-ab107c517c19", "uuid": "ab313887-ff00-4aa9-8edb-ab107c517c19",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps" "value": "Identify job postings and needs/gaps (PRE-T1025) related-to Identify job postings and needs/gaps (PRE-T1055)"
}, },
{ {
"meta": { "meta": {
@ -135,7 +130,7 @@
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
}, },
"uuid": "edb31962-2310-4618-bd4f-d34f8e7d58e8", "uuid": "edb31962-2310-4618-bd4f-d34f8e7d58e8",
"value": "APT16 uses Acquire OSINT data sets and information" "value": "APT16 (G0023) uses Acquire OSINT data sets and information (PRE-T1024)"
}, },
{ {
"meta": { "meta": {
@ -143,7 +138,7 @@
"target-uuid": "286cc500-4291-45c2-99a1-e760db176402" "target-uuid": "286cc500-4291-45c2-99a1-e760db176402"
}, },
"uuid": "0adf353d-688b-46ce-88bb-62a008675fe0", "uuid": "0adf353d-688b-46ce-88bb-62a008675fe0",
"value": "Night Dragon uses Acquire and/or use 3rd party infrastructure services" "value": "Night Dragon (G0014) uses Acquire and/or use 3rd party infrastructure services (PRE-T1084)"
}, },
{ {
"meta": { "meta": {
@ -151,7 +146,7 @@
"target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64" "target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64"
}, },
"uuid": "e95ea206-3962-43af-aac1-042ac9928679", "uuid": "e95ea206-3962-43af-aac1-042ac9928679",
"value": "Night Dragon uses Identify gap areas" "value": "Night Dragon (G0014) uses Identify gap areas (PRE-T1002)"
}, },
{ {
"meta": { "meta": {
@ -159,7 +154,7 @@
"target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234" "target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234"
}, },
"uuid": "b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb", "uuid": "b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb",
"value": "Cleaver uses Create custom payloads" "value": "Cleaver (G0003) uses Create custom payloads (PRE-T1122)"
}, },
{ {
"meta": { "meta": {
@ -167,7 +162,7 @@
"target-uuid": "c860af4a-376e-46d7-afbf-262c41012227" "target-uuid": "c860af4a-376e-46d7-afbf-262c41012227"
}, },
"uuid": "26bf68a4-af3c-4d39-bad3-5f0ce824f4a3", "uuid": "26bf68a4-af3c-4d39-bad3-5f0ce824f4a3",
"value": "APT28 uses Determine operational element" "value": "APT28 (G0007) uses Determine operational element (PRE-T1019)"
}, },
{ {
"meta": { "meta": {
@ -175,7 +170,7 @@
"target-uuid": "45242287-2964-4a3e-9373-159fad4d8195" "target-uuid": "45242287-2964-4a3e-9373-159fad4d8195"
}, },
"uuid": "3d65fc7e-87a5-4113-bd9c-09453fba4d1e", "uuid": "3d65fc7e-87a5-4113-bd9c-09453fba4d1e",
"value": "APT28 uses Buy domain name" "value": "APT28 (G0007) uses Buy domain name (PRE-T1105)"
}, },
{ {
"meta": { "meta": {
@ -183,7 +178,7 @@
"target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84" "target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84"
}, },
"uuid": "22d4f32c-63c1-400f-8e2c-10e4a200d133", "uuid": "22d4f32c-63c1-400f-8e2c-10e4a200d133",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps" "value": "Identify job postings and needs/gaps (PRE-T1055) related-to Identify job postings and needs/gaps (PRE-T1025)"
}, },
{ {
"meta": { "meta": {
@ -191,7 +186,7 @@
"target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549" "target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549"
}, },
"uuid": "ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80", "uuid": "ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80",
"value": "Identify business relationships related-to Identify business relationships" "value": "Identify business relationships (PRE-T1060) related-to Identify business relationships (PRE-T1049)"
}, },
{ {
"meta": { "meta": {
@ -199,7 +194,7 @@
"target-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a" "target-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a"
}, },
"uuid": "9524754d-7743-47b3-8395-3cbfb633c020", "uuid": "9524754d-7743-47b3-8395-3cbfb633c020",
"value": "Identify business relationships related-to Identify business relationships" "value": "Identify business relationships (PRE-T1049) related-to Identify business relationships (PRE-T1060)"
}, },
{ {
"meta": { "meta": {
@ -207,7 +202,7 @@
"target-uuid": "271e6d40-e191-421a-8f87-a8102452c201" "target-uuid": "271e6d40-e191-421a-8f87-a8102452c201"
}, },
"uuid": "d26a1746-b577-4a89-be5e-c49611e8c65a", "uuid": "d26a1746-b577-4a89-be5e-c49611e8c65a",
"value": "Cleaver uses Develop social network persona digital footprint" "value": "Cleaver (G0003) uses Develop social network persona digital footprint (PRE-T1119)"
}, },
{ {
"meta": { "meta": {
@ -215,7 +210,7 @@
"target-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93" "target-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93"
}, },
"uuid": "f43faad4-a016-4da0-8de6-53103d429268", "uuid": "f43faad4-a016-4da0-8de6-53103d429268",
"value": "Cleaver uses Obfuscation or cryptography" "value": "Cleaver (G0003) uses Obfuscation or cryptography (PRE-T1090)"
}, },
{ {
"meta": { "meta": {
@ -223,7 +218,7 @@
"target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c" "target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c"
}, },
"uuid": "0e7905fd-77c8-43cb-b499-7d6e37fefbeb", "uuid": "0e7905fd-77c8-43cb-b499-7d6e37fefbeb",
"value": "APT1 uses Dynamic DNS" "value": "APT1 (G0006) uses Dynamic DNS (PRE-T1088)"
}, },
{ {
"meta": { "meta": {
@ -231,7 +226,7 @@
"target-uuid": "b79a1960-d0be-4b51-bb62-b27e91e1dea0" "target-uuid": "b79a1960-d0be-4b51-bb62-b27e91e1dea0"
}, },
"uuid": "3f8694fa-8e16-465b-8357-ec0a85316e9c", "uuid": "3f8694fa-8e16-465b-8357-ec0a85316e9c",
"value": "Cleaver uses Conduct social engineering or HUMINT operation" "value": "Cleaver (G0003) uses Conduct social engineering or HUMINT operation (PRE-T1153)"
}, },
{ {
"meta": { "meta": {
@ -239,7 +234,7 @@
"target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39" "target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39"
}, },
"uuid": "9c87b627-de61-42da-a658-7bdb33358754", "uuid": "9c87b627-de61-42da-a658-7bdb33358754",
"value": "APT17 uses Obfuscate infrastructure" "value": "APT17 (G0025) uses Obfuscate infrastructure (PRE-T1108)"
}, },
{ {
"meta": { "meta": {
@ -247,7 +242,7 @@
"target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234" "target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234"
}, },
"uuid": "6d809b32-a5db-4e1e-bea6-ef29a2c680e5", "uuid": "6d809b32-a5db-4e1e-bea6-ef29a2c680e5",
"value": "APT28 uses Create custom payloads" "value": "APT28 (G0007) uses Create custom payloads (PRE-T1122)"
}, },
{ {
"meta": { "meta": {
@ -255,7 +250,7 @@
"target-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe" "target-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe"
}, },
"uuid": "f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd", "uuid": "f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd",
"value": "Dynamic DNS related-to Dynamic DNS" "value": "Dynamic DNS (PRE-T1088) related-to Dynamic DNS (PRE-T1110)"
}, },
{ {
"meta": { "meta": {
@ -263,7 +258,7 @@
"target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c" "target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c"
}, },
"uuid": "94daf955-fb3e-4f13-af60-0e3ffa185be0", "uuid": "94daf955-fb3e-4f13-af60-0e3ffa185be0",
"value": "Dynamic DNS related-to Dynamic DNS" "value": "Dynamic DNS (PRE-T1110) related-to Dynamic DNS (PRE-T1088)"
}, },
{ {
"meta": { "meta": {
@ -271,7 +266,7 @@
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" "target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
}, },
"uuid": "545cd36e-572e-413d-82b9-db65788791f9", "uuid": "545cd36e-572e-413d-82b9-db65788791f9",
"value": "APT17 uses Build social network persona" "value": "APT17 (G0025) uses Build social network persona (PRE-T1118)"
}, },
{ {
"meta": { "meta": {
@ -279,7 +274,7 @@
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" "target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
}, },
"uuid": "8a2c46d3-92f2-4ff7-a912-8d47189a7d79", "uuid": "8a2c46d3-92f2-4ff7-a912-8d47189a7d79",
"value": "APT1 uses Compromise 3rd party infrastructure to support delivery" "value": "APT1 (G0006) uses Compromise 3rd party infrastructure to support delivery (PRE-T1111)"
}, },
{ {
"meta": { "meta": {
@ -287,7 +282,7 @@
"target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88" "target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88"
}, },
"uuid": "60b6c9a6-7705-4c72-93bb-67de0caf11f4", "uuid": "60b6c9a6-7705-4c72-93bb-67de0caf11f4",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information" "value": "Acquire OSINT data sets and information (PRE-T1024) related-to Acquire OSINT data sets and information (PRE-T1054)"
}, },
{ {
"meta": { "meta": {
@ -295,7 +290,7 @@
"target-uuid": "78e41091-d10d-4001-b202-89612892b6ff" "target-uuid": "78e41091-d10d-4001-b202-89612892b6ff"
}, },
"uuid": "9c44b2ec-70b0-4f5c-800e-426477330658", "uuid": "9c44b2ec-70b0-4f5c-800e-426477330658",
"value": "Identify supply chains related-to Identify supply chains" "value": "Identify supply chains (PRE-T1053) related-to Identify supply chains (PRE-T1023)"
}, },
{ {
"meta": { "meta": {
@ -303,7 +298,7 @@
"target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077" "target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077"
}, },
"uuid": "bc165934-7ef6-4aed-a0d7-81d3372589f4", "uuid": "bc165934-7ef6-4aed-a0d7-81d3372589f4",
"value": "Compromise 3rd party infrastructure to support delivery related-to Compromise 3rd party infrastructure to support delivery" "value": "Compromise 3rd party infrastructure to support delivery (PRE-T1111) related-to Compromise 3rd party infrastructure to support delivery (PRE-T1089)"
}, },
{ {
"meta": { "meta": {
@ -311,7 +306,7 @@
"target-uuid": "288b3cc3-f4da-4250-ab8c-d8b5dbed94ca" "target-uuid": "288b3cc3-f4da-4250-ab8c-d8b5dbed94ca"
}, },
"uuid": "643d984b-0c82-4e14-8ba9-1b8dec0c91e2", "uuid": "643d984b-0c82-4e14-8ba9-1b8dec0c91e2",
"value": "APT28 uses Identify web defensive services" "value": "APT28 (G0007) uses Identify web defensive services (PRE-T1033)"
}, },
{ {
"meta": { "meta": {
@ -319,7 +314,7 @@
"target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41" "target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41"
}, },
"uuid": "715a66b4-7925-40b4-868a-e47aba879f8b", "uuid": "715a66b4-7925-40b4-868a-e47aba879f8b",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies" "value": "Analyze organizational skillsets and deficiencies (PRE-T1077) related-to Analyze organizational skillsets and deficiencies (PRE-T1074)"
}, },
{ {
"meta": { "meta": {
@ -327,7 +322,7 @@
"target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88" "target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88"
}, },
"uuid": "28bf7e8b-9948-40a8-945b-6b5f2c78ec53", "uuid": "28bf7e8b-9948-40a8-945b-6b5f2c78ec53",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information" "value": "Acquire OSINT data sets and information (PRE-T1043) related-to Acquire OSINT data sets and information (PRE-T1054)"
}, },
{ {
"meta": { "meta": {
@ -335,7 +330,7 @@
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" "target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
}, },
"uuid": "2b0ec032-eaca-4f0c-be55-39471f0f2bf5", "uuid": "2b0ec032-eaca-4f0c-be55-39471f0f2bf5",
"value": "APT1 uses Obtain/re-use payloads" "value": "APT1 (G0006) uses Obtain/re-use payloads (PRE-T1123)"
}, },
{ {
"meta": { "meta": {
@ -343,7 +338,7 @@
"target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a" "target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a"
}, },
"uuid": "1143e6a6-deef-4dbd-8c91-7bf537d8f5ce", "uuid": "1143e6a6-deef-4dbd-8c91-7bf537d8f5ce",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information" "value": "Acquire OSINT data sets and information (PRE-T1024) related-to Acquire OSINT data sets and information (PRE-T1043)"
}, },
{ {
"meta": { "meta": {
@ -351,7 +346,7 @@
"target-uuid": "59369f72-3005-4e54-9095-3d00efcece73" "target-uuid": "59369f72-3005-4e54-9095-3d00efcece73"
}, },
"uuid": "a29f2adc-c328-4cf3-9984-2c0c72ec7061", "uuid": "a29f2adc-c328-4cf3-9984-2c0c72ec7061",
"value": "Identify supply chains related-to Identify supply chains" "value": "Identify supply chains (PRE-T1023) related-to Identify supply chains (PRE-T1042)"
}, },
{ {
"meta": { "meta": {
@ -359,7 +354,7 @@
"target-uuid": "abd5bed1-4c12-45de-a623-ab8dc4ff862a" "target-uuid": "abd5bed1-4c12-45de-a623-ab8dc4ff862a"
}, },
"uuid": "eab3be4e-4130-4898-a7b6-d9e9eb34f2bd", "uuid": "eab3be4e-4130-4898-a7b6-d9e9eb34f2bd",
"value": "APT28 uses Research relevant vulnerabilities/CVEs" "value": "APT28 (G0007) uses Research relevant vulnerabilities/CVEs (PRE-T1068)"
}, },
{ {
"meta": { "meta": {
@ -367,7 +362,7 @@
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11" "target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
}, },
"uuid": "39db1df8-f786-480c-9faf-5b870de2250b", "uuid": "39db1df8-f786-480c-9faf-5b870de2250b",
"value": "APT1 uses Acquire and/or use 3rd party software services" "value": "APT1 (G0006) uses Acquire and/or use 3rd party software services (PRE-T1085)"
}, },
{ {
"meta": { "meta": {
@ -375,7 +370,7 @@
"target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a" "target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a"
}, },
"uuid": "6ba71250-1dc7-4b8d-88e7-698440ea18a0", "uuid": "6ba71250-1dc7-4b8d-88e7-698440ea18a0",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information" "value": "Acquire OSINT data sets and information (PRE-T1054) related-to Acquire OSINT data sets and information (PRE-T1043)"
}, },
{ {
"meta": { "meta": {
@ -383,7 +378,7 @@
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
}, },
"uuid": "6238613d-8683-420d-baf7-6050aa27eb9d", "uuid": "6238613d-8683-420d-baf7-6050aa27eb9d",
"value": "APT28 uses Spear phishing messages with malicious attachments" "value": "APT28 (G0007) uses Spear phishing messages with malicious attachments (PRE-T1144)"
}, },
{ {
"meta": { "meta": {
@ -391,7 +386,7 @@
"target-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6" "target-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6"
}, },
"uuid": "5dc0b076-5f25-4bda-83c7-1d8bd214b81a", "uuid": "5dc0b076-5f25-4bda-83c7-1d8bd214b81a",
"value": "Acquire and/or use 3rd party infrastructure services related-to Acquire and/or use 3rd party infrastructure services" "value": "Acquire and/or use 3rd party infrastructure services (PRE-T1084) related-to Acquire and/or use 3rd party infrastructure services (PRE-T1106)"
}, },
{ {
"meta": { "meta": {
@ -399,7 +394,7 @@
"target-uuid": "59369f72-3005-4e54-9095-3d00efcece73" "target-uuid": "59369f72-3005-4e54-9095-3d00efcece73"
}, },
"uuid": "7aaa32b6-73f3-4b6e-98ae-da16976e6003", "uuid": "7aaa32b6-73f3-4b6e-98ae-da16976e6003",
"value": "Identify supply chains related-to Identify supply chains" "value": "Identify supply chains (PRE-T1053) related-to Identify supply chains (PRE-T1042)"
}, },
{ {
"meta": { "meta": {
@ -407,7 +402,7 @@
"target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077" "target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077"
}, },
"uuid": "cc22ab71-f2fc-4885-832b-e75dadeefa2d", "uuid": "cc22ab71-f2fc-4885-832b-e75dadeefa2d",
"value": "APT1 uses Compromise 3rd party infrastructure to support delivery" "value": "APT1 (G0006) uses Compromise 3rd party infrastructure to support delivery (PRE-T1089)"
}, },
{ {
"meta": { "meta": {
@ -415,7 +410,7 @@
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
}, },
"uuid": "60e79ac2-3dc1-4005-a1f8-260d58117dab", "uuid": "60e79ac2-3dc1-4005-a1f8-260d58117dab",
"value": "APT28 uses Acquire OSINT data sets and information" "value": "APT28 (G0007) uses Acquire OSINT data sets and information (PRE-T1024)"
}, },
{ {
"meta": { "meta": {
@ -423,7 +418,7 @@
"target-uuid": "9a8c47f6-ae69-4044-917d-4b1602af64d9" "target-uuid": "9a8c47f6-ae69-4044-917d-4b1602af64d9"
}, },
"uuid": "7da16587-3861-4404-9043-0076e4766ac4", "uuid": "7da16587-3861-4404-9043-0076e4766ac4",
"value": "APT12 uses Choose pre-compromised persona and affiliated accounts" "value": "APT12 (G0005) uses Choose pre-compromised persona and affiliated accounts (PRE-T1120)"
}, },
{ {
"meta": { "meta": {
@ -431,7 +426,7 @@
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
}, },
"uuid": "6cfc9229-9928-414e-bfaf-f63e815b4c84", "uuid": "6cfc9229-9928-414e-bfaf-f63e815b4c84",
"value": "APT28 uses Determine strategic target" "value": "APT28 (G0007) uses Determine strategic target (PRE-T1018)"
}, },
{ {
"meta": { "meta": {
@ -439,7 +434,7 @@
"target-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f" "target-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f"
}, },
"uuid": "a7f177e4-7e7f-4883-af3d-c95db9ea7a53", "uuid": "a7f177e4-7e7f-4883-af3d-c95db9ea7a53",
"value": "Determine 3rd party infrastructure services related-to Determine 3rd party infrastructure services" "value": "Determine 3rd party infrastructure services (PRE-T1061) related-to Determine 3rd party infrastructure services (PRE-T1037)"
}, },
{ {
"meta": { "meta": {
@ -447,7 +442,7 @@
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" "target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
}, },
"uuid": "515e7665-040c-44ac-a379-44d4399d6e2b", "uuid": "515e7665-040c-44ac-a379-44d4399d6e2b",
"value": "Cleaver uses Obtain/re-use payloads" "value": "Cleaver (G0003) uses Obtain/re-use payloads (PRE-T1123)"
}, },
{ {
"meta": { "meta": {
@ -455,7 +450,7 @@
"target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc" "target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc"
}, },
"uuid": "b180dee5-0d48-448f-94b9-4997f0c584d5", "uuid": "b180dee5-0d48-448f-94b9-4997f0c584d5",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies" "value": "Analyze organizational skillsets and deficiencies (PRE-T1074) related-to Analyze organizational skillsets and deficiencies (PRE-T1077)"
}, },
{ {
"meta": { "meta": {
@ -463,7 +458,7 @@
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" "target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
}, },
"uuid": "28815a00-1cf4-4fbc-9039-306a9542c7fd", "uuid": "28815a00-1cf4-4fbc-9039-306a9542c7fd",
"value": "Compromise 3rd party infrastructure to support delivery related-to Compromise 3rd party infrastructure to support delivery" "value": "Compromise 3rd party infrastructure to support delivery (PRE-T1089) related-to Compromise 3rd party infrastructure to support delivery (PRE-T1111)"
}, },
{ {
"meta": { "meta": {
@ -471,7 +466,7 @@
"target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1" "target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1"
}, },
"uuid": "8bcaccd1-403b-40f1-82d3-ac4d873263f8", "uuid": "8bcaccd1-403b-40f1-82d3-ac4d873263f8",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps" "value": "Identify job postings and needs/gaps (PRE-T1025) related-to Identify job postings and needs/gaps (PRE-T1044)"
}, },
{ {
"meta": { "meta": {
@ -479,7 +474,7 @@
"target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957" "target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957"
}, },
"uuid": "5aab758c-79d2-4219-9053-f50791d98531", "uuid": "5aab758c-79d2-4219-9053-f50791d98531",
"value": "APT28 uses Discover target logon/email address format" "value": "APT28 (G0007) uses Discover target logon/email address format (PRE-T1032)"
}, },
{ {
"meta": { "meta": {
@ -487,7 +482,7 @@
"target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6" "target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6"
}, },
"uuid": "b55534ba-37ce-47f2-a961-edeaeedcb399", "uuid": "b55534ba-37ce-47f2-a961-edeaeedcb399",
"value": "APT12 uses Obfuscate infrastructure" "value": "APT12 (G0005) uses Obfuscate infrastructure (PRE-T1086)"
}, },
{ {
"meta": { "meta": {
@ -495,7 +490,7 @@
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" "target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
}, },
"uuid": "709bb5af-c484-48f2-bb19-bd7630e42e2d", "uuid": "709bb5af-c484-48f2-bb19-bd7630e42e2d",
"value": "APT28 uses Obtain/re-use payloads" "value": "APT28 (G0007) uses Obtain/re-use payloads (PRE-T1123)"
}, },
{ {
"meta": { "meta": {
@ -503,7 +498,7 @@
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
}, },
"uuid": "4e06cf53-00b1-46a6-a6b6-8e33e761b83f", "uuid": "4e06cf53-00b1-46a6-a6b6-8e33e761b83f",
"value": "APT12 uses Determine strategic target" "value": "APT12 (G0005) uses Determine strategic target (PRE-T1018)"
}, },
{ {
"meta": { "meta": {
@ -511,7 +506,7 @@
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
}, },
"uuid": "89754a0d-03b1-44e3-94c5-7a892d171a28", "uuid": "89754a0d-03b1-44e3-94c5-7a892d171a28",
"value": "APT17 uses Determine strategic target" "value": "APT17 (G0025) uses Determine strategic target (PRE-T1018)"
}, },
{ {
"meta": { "meta": {
@ -519,7 +514,7 @@
"target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5" "target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5"
}, },
"uuid": "984d13eb-ba9c-4e7c-8675-85dde9877a81", "uuid": "984d13eb-ba9c-4e7c-8675-85dde9877a81",
"value": "Conduct social engineering related-to Conduct social engineering" "value": "Conduct social engineering (PRE-T1045) related-to Conduct social engineering (PRE-T1056)"
}, },
{ {
"meta": { "meta": {
@ -527,7 +522,7 @@
"target-uuid": "d3999268-740f-467e-a075-c82e2d04be62" "target-uuid": "d3999268-740f-467e-a075-c82e2d04be62"
}, },
"uuid": "2daad934-bf08-4a2f-b656-4f7d197eb8fa", "uuid": "2daad934-bf08-4a2f-b656-4f7d197eb8fa",
"value": "APT28 uses Assess leadership areas of interest" "value": "APT28 (G0007) uses Assess leadership areas of interest (PRE-T1001)"
}, },
{ {
"meta": { "meta": {
@ -535,7 +530,7 @@
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
}, },
"uuid": "1895866a-4689-4527-8460-95e9cd7dd037", "uuid": "1895866a-4689-4527-8460-95e9cd7dd037",
"value": "APT12 uses Spear phishing messages with malicious attachments" "value": "APT12 (G0005) uses Spear phishing messages with malicious attachments (PRE-T1144)"
}, },
{ {
"meta": { "meta": {
@ -543,7 +538,7 @@
"target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1" "target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1"
}, },
"uuid": "51c20b46-16cc-4b58-80d7-89d48b14b064", "uuid": "51c20b46-16cc-4b58-80d7-89d48b14b064",
"value": "Conduct social engineering related-to Conduct social engineering" "value": "Conduct social engineering (PRE-T1056) related-to Conduct social engineering (PRE-T1026)"
}, },
{ {
"meta": { "meta": {
@ -551,7 +546,7 @@
"target-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59" "target-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59"
}, },
"uuid": "fe31fa7c-be01-47ca-90bb-0fb49b49eb03", "uuid": "fe31fa7c-be01-47ca-90bb-0fb49b49eb03",
"value": "Acquire or compromise 3rd party signing certificates related-to Acquire or compromise 3rd party signing certificates" "value": "Acquire or compromise 3rd party signing certificates (PRE-T1109) related-to Acquire or compromise 3rd party signing certificates (PRE-T1087)"
}, },
{ {
"meta": { "meta": {
@ -559,7 +554,7 @@
"target-uuid": "78e41091-d10d-4001-b202-89612892b6ff" "target-uuid": "78e41091-d10d-4001-b202-89612892b6ff"
}, },
"uuid": "432c700b-4bf3-4824-a530-a6e86882c4b7", "uuid": "432c700b-4bf3-4824-a530-a6e86882c4b7",
"value": "Identify supply chains related-to Identify supply chains" "value": "Identify supply chains (PRE-T1042) related-to Identify supply chains (PRE-T1023)"
}, },
{ {
"meta": { "meta": {
@ -567,7 +562,7 @@
"target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1" "target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1"
}, },
"uuid": "ef32147c-d309-4867-aaba-998088290e32", "uuid": "ef32147c-d309-4867-aaba-998088290e32",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps" "value": "Identify job postings and needs/gaps (PRE-T1055) related-to Identify job postings and needs/gaps (PRE-T1044)"
}, },
{ {
"meta": { "meta": {
@ -575,7 +570,7 @@
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" "target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
}, },
"uuid": "f8559304-7ef6-4c48-8d76-a56ebf37c0be", "uuid": "f8559304-7ef6-4c48-8d76-a56ebf37c0be",
"value": "APT16 uses Compromise 3rd party infrastructure to support delivery" "value": "APT16 (G0023) uses Compromise 3rd party infrastructure to support delivery (PRE-T1111)"
}, },
{ {
"meta": { "meta": {
@ -583,7 +578,7 @@
"target-uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a" "target-uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a"
}, },
"uuid": "3d3eb711-5054-4b32-8006-15ba67d3bb25", "uuid": "3d3eb711-5054-4b32-8006-15ba67d3bb25",
"value": "APT1 uses Procure required equipment and software" "value": "APT1 (G0006) uses Procure required equipment and software (PRE-T1112)"
}, },
{ {
"meta": { "meta": {
@ -591,7 +586,7 @@
"target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407" "target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407"
}, },
"uuid": "689ebb39-52f4-4b2f-8678-72cfed67cb9f", "uuid": "689ebb39-52f4-4b2f-8678-72cfed67cb9f",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps" "value": "Identify job postings and needs/gaps (PRE-T1044) related-to Identify job postings and needs/gaps (PRE-T1055)"
}, },
{ {
"meta": { "meta": {
@ -599,7 +594,7 @@
"target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" "target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc"
}, },
"uuid": "36990d75-9fbd-43f0-9966-ae58f0388e1d", "uuid": "36990d75-9fbd-43f0-9966-ae58f0388e1d",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies" "value": "Analyze organizational skillsets and deficiencies (PRE-T1074) related-to Analyze organizational skillsets and deficiencies (PRE-T1066)"
}, },
{ {
"meta": { "meta": {
@ -607,7 +602,7 @@
"target-uuid": "286cc500-4291-45c2-99a1-e760db176402" "target-uuid": "286cc500-4291-45c2-99a1-e760db176402"
}, },
"uuid": "9a1f729c-72a9-4735-9d48-ecb54ea018a9", "uuid": "9a1f729c-72a9-4735-9d48-ecb54ea018a9",
"value": "Acquire and/or use 3rd party infrastructure services related-to Acquire and/or use 3rd party infrastructure services" "value": "Acquire and/or use 3rd party infrastructure services (PRE-T1106) related-to Acquire and/or use 3rd party infrastructure services (PRE-T1084)"
}, },
{ {
"meta": { "meta": {
@ -615,7 +610,7 @@
"target-uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1" "target-uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1"
}, },
"uuid": "7c68bb22-457e-4942-9e07-36f6cd5ac5ba", "uuid": "7c68bb22-457e-4942-9e07-36f6cd5ac5ba",
"value": "APT1 uses Targeted social media phishing" "value": "APT1 (G0006) uses Targeted social media phishing (PRE-T1143)"
}, },
{ {
"meta": { "meta": {
@ -623,7 +618,7 @@
"target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa" "target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa"
}, },
"uuid": "75c781d7-f9ef-42c8-b610-0dc1ecb3b350", "uuid": "75c781d7-f9ef-42c8-b610-0dc1ecb3b350",
"value": "Cleaver uses Authorized user performs requested cyber action" "value": "Cleaver (G0003) uses Authorized user performs requested cyber action (PRE-T1163)"
}, },
{ {
"meta": { "meta": {
@ -631,7 +626,7 @@
"target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc" "target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc"
}, },
"uuid": "d5bd7a33-a249-46e5-bb19-a498eba42bdb", "uuid": "d5bd7a33-a249-46e5-bb19-a498eba42bdb",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies" "value": "Analyze organizational skillsets and deficiencies (PRE-T1066) related-to Analyze organizational skillsets and deficiencies (PRE-T1077)"
}, },
{ {
"meta": { "meta": {
@ -639,7 +634,7 @@
"target-uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904" "target-uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904"
}, },
"uuid": "8a2549fa-9e7c-4d47-9678-8ed0bb8fa3aa", "uuid": "8a2549fa-9e7c-4d47-9678-8ed0bb8fa3aa",
"value": "APT1 uses Derive intelligence requirements" "value": "APT1 (G0006) uses Derive intelligence requirements (PRE-T1007)"
}, },
{ {
"meta": { "meta": {
@ -647,7 +642,7 @@
"target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa" "target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa"
}, },
"uuid": "0f97c2ae-2b89-4dd5-a270-42b1dcb5d403", "uuid": "0f97c2ae-2b89-4dd5-a270-42b1dcb5d403",
"value": "APT1 uses Authorized user performs requested cyber action" "value": "APT1 (G0006) uses Authorized user performs requested cyber action (PRE-T1163)"
}, },
{ {
"meta": { "meta": {
@ -655,7 +650,7 @@
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
}, },
"uuid": "c90a4d6a-af21-4103-ba57-3ddeb6e973e7", "uuid": "c90a4d6a-af21-4103-ba57-3ddeb6e973e7",
"value": "APT16 uses Spear phishing messages with malicious attachments" "value": "APT16 (G0023) uses Spear phishing messages with malicious attachments (PRE-T1144)"
}, },
{ {
"meta": { "meta": {
@ -663,7 +658,7 @@
"target-uuid": "c860af4a-376e-46d7-afbf-262c41012227" "target-uuid": "c860af4a-376e-46d7-afbf-262c41012227"
}, },
"uuid": "eca0f05c-5025-4149-9826-3715cc243180", "uuid": "eca0f05c-5025-4149-9826-3715cc243180",
"value": "Cleaver uses Determine operational element" "value": "Cleaver (G0003) uses Determine operational element (PRE-T1019)"
}, },
{ {
"meta": { "meta": {
@ -671,7 +666,7 @@
"target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64" "target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64"
}, },
"uuid": "683d4e44-f763-492c-b510-fa469a923798", "uuid": "683d4e44-f763-492c-b510-fa469a923798",
"value": "APT12 uses Identify gap areas" "value": "APT12 (G0005) uses Identify gap areas (PRE-T1002)"
}, },
{ {
"meta": { "meta": {
@ -679,7 +674,7 @@
"target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6" "target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6"
}, },
"uuid": "db4dfa09-7f19-437a-9d79-15f2dc8ba0da", "uuid": "db4dfa09-7f19-437a-9d79-15f2dc8ba0da",
"value": "Obfuscate infrastructure related-to Obfuscate infrastructure" "value": "Obfuscate infrastructure (PRE-T1108) related-to Obfuscate infrastructure (PRE-T1086)"
}, },
{ {
"meta": { "meta": {
@ -687,7 +682,7 @@
"target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84" "target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84"
}, },
"uuid": "bbb1c074-a93a-4e40-b11e-2151403f7f1d", "uuid": "bbb1c074-a93a-4e40-b11e-2151403f7f1d",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps" "value": "Identify job postings and needs/gaps (PRE-T1044) related-to Identify job postings and needs/gaps (PRE-T1025)"
}, },
{ {
"meta": { "meta": {
@ -695,7 +690,7 @@
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
}, },
"uuid": "0e52753e-0a02-4bec-88f9-f8ee21b46bae", "uuid": "0e52753e-0a02-4bec-88f9-f8ee21b46bae",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information" "value": "Acquire OSINT data sets and information (PRE-T1054) related-to Acquire OSINT data sets and information (PRE-T1024)"
}, },
{ {
"meta": { "meta": {
@ -703,7 +698,7 @@
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
}, },
"uuid": "3c7c0851-1cf8-458f-862d-4e4827f8f474", "uuid": "3c7c0851-1cf8-458f-862d-4e4827f8f474",
"value": "Cleaver uses Determine strategic target" "value": "Cleaver (G0003) uses Determine strategic target (PRE-T1018)"
}, },
{ {
"meta": { "meta": {
@ -711,7 +706,7 @@
"target-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983" "target-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983"
}, },
"uuid": "c388ed7c-3820-41a3-98af-a48dd7e4d88b", "uuid": "c388ed7c-3820-41a3-98af-a48dd7e4d88b",
"value": "Acquire or compromise 3rd party signing certificates related-to Acquire or compromise 3rd party signing certificates" "value": "Acquire or compromise 3rd party signing certificates (PRE-T1087) related-to Acquire or compromise 3rd party signing certificates (PRE-T1109)"
}, },
{ {
"meta": { "meta": {
@ -719,7 +714,7 @@
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" "target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
}, },
"uuid": "34ba5998-4e43-4669-9701-1877aa267354", "uuid": "34ba5998-4e43-4669-9701-1877aa267354",
"value": "APT1 uses Build social network persona" "value": "APT1 (G0006) uses Build social network persona (PRE-T1118)"
}, },
{ {
"meta": { "meta": {
@ -727,7 +722,7 @@
"target-uuid": "af358cad-eb71-4e91-a752-236edc237dae" "target-uuid": "af358cad-eb71-4e91-a752-236edc237dae"
}, },
"uuid": "f8504a07-758c-4c51-ac94-c2e7ba652e29", "uuid": "f8504a07-758c-4c51-ac94-c2e7ba652e29",
"value": "Conduct social engineering related-to Conduct social engineering" "value": "Conduct social engineering (PRE-T1026) related-to Conduct social engineering (PRE-T1045)"
}, },
{ {
"meta": { "meta": {
@ -735,7 +730,7 @@
"target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c" "target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c"
}, },
"uuid": "9ad9966d-4a8d-4b15-b503-c5d27104fcdd", "uuid": "9ad9966d-4a8d-4b15-b503-c5d27104fcdd",
"value": "Identify supply chains related-to Identify supply chains" "value": "Identify supply chains (PRE-T1023) related-to Identify supply chains (PRE-T1053)"
}, },
{ {
"meta": { "meta": {
@ -743,7 +738,7 @@
"target-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05" "target-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05"
}, },
"uuid": "e4501560-7850-4467-8422-2cf336429e8a", "uuid": "e4501560-7850-4467-8422-2cf336429e8a",
"value": "Determine 3rd party infrastructure services related-to Determine 3rd party infrastructure services" "value": "Determine 3rd party infrastructure services (PRE-T1037) related-to Determine 3rd party infrastructure services (PRE-T1061)"
}, },
{ {
"meta": { "meta": {
@ -751,7 +746,7 @@
"target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5" "target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5"
}, },
"uuid": "66e4da4a-6eb6-46e0-9baf-74059f341b4a", "uuid": "66e4da4a-6eb6-46e0-9baf-74059f341b4a",
"value": "Conduct social engineering related-to Conduct social engineering" "value": "Conduct social engineering (PRE-T1026) related-to Conduct social engineering (PRE-T1056)"
}, },
{ {
"meta": { "meta": {
@ -759,7 +754,7 @@
"target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39" "target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39"
}, },
"uuid": "41be9f31-9d2b-44b8-a7dc-31f8c4519751", "uuid": "41be9f31-9d2b-44b8-a7dc-31f8c4519751",
"value": "Obfuscate infrastructure related-to Obfuscate infrastructure" "value": "Obfuscate infrastructure (PRE-T1086) related-to Obfuscate infrastructure (PRE-T1108)"
}, },
{ {
"meta": { "meta": {
@ -767,7 +762,7 @@
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
}, },
"uuid": "be031f72-737b-4afd-b2c1-c565f5ab7369", "uuid": "be031f72-737b-4afd-b2c1-c565f5ab7369",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information" "value": "Acquire OSINT data sets and information (PRE-T1043) related-to Acquire OSINT data sets and information (PRE-T1024)"
}, },
{ {
"meta": { "meta": {
@ -775,7 +770,7 @@
"target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7" "target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7"
}, },
"uuid": "90d7f0f0-6e41-431a-a024-9375cbc18d2b", "uuid": "90d7f0f0-6e41-431a-a024-9375cbc18d2b",
"value": "APT1 uses Post compromise tool development" "value": "APT1 (G0006) uses Post compromise tool development (PRE-T1130)"
}, },
{ {
"meta": { "meta": {
@ -783,7 +778,7 @@
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
}, },
"uuid": "e60a165e-cfad-43e5-ba83-ea2430a377c5", "uuid": "e60a165e-cfad-43e5-ba83-ea2430a377c5",
"value": "APT16 uses Determine strategic target" "value": "APT16 (G0023) uses Determine strategic target (PRE-T1018)"
}, },
{ {
"meta": { "meta": {
@ -791,7 +786,7 @@
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
}, },
"uuid": "a071fc8f-6323-420b-9812-b51f12fc7956", "uuid": "a071fc8f-6323-420b-9812-b51f12fc7956",
"value": "Night Dragon uses Determine strategic target" "value": "Night Dragon (G0014) uses Determine strategic target (PRE-T1018)"
}, },
{ {
"meta": { "meta": {
@ -799,7 +794,7 @@
"target-uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0" "target-uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0"
}, },
"uuid": "970531a2-4927-41a3-b2cd-09d445322f51", "uuid": "970531a2-4927-41a3-b2cd-09d445322f51",
"value": "APT1 uses Create strategic plan" "value": "APT1 (G0006) uses Create strategic plan (PRE-T1008)"
}, },
{ {
"meta": { "meta": {
@ -807,7 +802,7 @@
"target-uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4" "target-uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4"
}, },
"uuid": "c2571ca8-98c4-490d-b8f8-f3678b0ce74d", "uuid": "c2571ca8-98c4-490d-b8f8-f3678b0ce74d",
"value": "Night Dragon uses Compromise of externally facing system" "value": "Night Dragon (G0014) uses Compromise of externally facing system (PRE-T1165)"
}, },
{ {
"meta": { "meta": {
@ -815,7 +810,7 @@
"target-uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc" "target-uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc"
}, },
"uuid": "e78023e7-98de-4973-9331-843bfa28c9f7", "uuid": "e78023e7-98de-4973-9331-843bfa28c9f7",
"value": "APT1 uses Spear phishing messages with malicious links" "value": "APT1 (G0006) uses Spear phishing messages with malicious links (PRE-T1146)"
}, },
{ {
"meta": { "meta": {
@ -823,7 +818,7 @@
"target-uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2" "target-uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2"
}, },
"uuid": "f76d74b6-c797-487c-8388-536367d1b922", "uuid": "f76d74b6-c797-487c-8388-536367d1b922",
"value": "APT1 uses Obfuscate or encrypt code" "value": "APT1 (G0006) uses Obfuscate or encrypt code (PRE-T1096)"
}, },
{ {
"meta": { "meta": {
@ -831,7 +826,7 @@
"target-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d" "target-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d"
}, },
"uuid": "87239038-7693-49b3-b595-b828cc2be1ba", "uuid": "87239038-7693-49b3-b595-b828cc2be1ba",
"value": "Friend/Follow/Connect to targets of interest related-to Friend/Follow/Connect to targets of interest" "value": "Friend/Follow/Connect to targets of interest (PRE-T1121) related-to Friend/Follow/Connect to targets of interest (PRE-T1141)"
}, },
{ {
"meta": { "meta": {
@ -839,7 +834,7 @@
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11" "target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
}, },
"uuid": "c6e43693-2a6d-4ba8-8fa7-ec1ab5239528", "uuid": "c6e43693-2a6d-4ba8-8fa7-ec1ab5239528",
"value": "Night Dragon uses Acquire and/or use 3rd party software services" "value": "Night Dragon (G0014) uses Acquire and/or use 3rd party software services (PRE-T1085)"
}, },
{ {
"meta": { "meta": {
@ -847,7 +842,7 @@
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
}, },
"uuid": "5ed44a06-bcb4-4293-8bf4-aaebefddc09c", "uuid": "5ed44a06-bcb4-4293-8bf4-aaebefddc09c",
"value": "APT1 uses Determine strategic target" "value": "APT1 (G0006) uses Determine strategic target (PRE-T1018)"
}, },
{ {
"meta": { "meta": {
@ -855,7 +850,7 @@
"target-uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a" "target-uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a"
}, },
"uuid": "db10491f-a854-4404-9271-600349484bc3", "uuid": "db10491f-a854-4404-9271-600349484bc3",
"value": "APT1 uses Domain registration hijacking" "value": "APT1 (G0006) uses Domain registration hijacking (PRE-T1103)"
}, },
{ {
"meta": { "meta": {
@ -863,7 +858,7 @@
"target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549" "target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549"
}, },
"uuid": "4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2", "uuid": "4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2",
"value": "APT16 uses Identify business relationships" "value": "APT16 (G0023) uses Identify business relationships (PRE-T1049)"
}, },
{ {
"meta": { "meta": {
@ -871,7 +866,7 @@
"target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41" "target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41"
}, },
"uuid": "7bd3d2ba-f114-4835-97b6-1c3e2208d3f3", "uuid": "7bd3d2ba-f114-4835-97b6-1c3e2208d3f3",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies" "value": "Analyze organizational skillsets and deficiencies (PRE-T1066) related-to Analyze organizational skillsets and deficiencies (PRE-T1074)"
}, },
{ {
"meta": { "meta": {
@ -879,7 +874,7 @@
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11" "target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
}, },
"uuid": "2bf984b5-1a48-4d9a-a4f2-e97801254b84", "uuid": "2bf984b5-1a48-4d9a-a4f2-e97801254b84",
"value": "Acquire and/or use 3rd party software services related-to Acquire and/or use 3rd party software services" "value": "Acquire and/or use 3rd party software services (PRE-T1107) related-to Acquire and/or use 3rd party software services (PRE-T1085)"
}, },
{ {
"meta": { "meta": {
@ -887,7 +882,7 @@
"target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c" "target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c"
}, },
"uuid": "c124f0ba-f4bc-430a-b40c-eebe0577f812", "uuid": "c124f0ba-f4bc-430a-b40c-eebe0577f812",
"value": "Identify supply chains related-to Identify supply chains" "value": "Identify supply chains (PRE-T1042) related-to Identify supply chains (PRE-T1053)"
}, },
{ {
"meta": { "meta": {
@ -895,7 +890,7 @@
"target-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6" "target-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6"
}, },
"uuid": "3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267", "uuid": "3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267",
"value": "Acquire and/or use 3rd party software services related-to Acquire and/or use 3rd party software services" "value": "Acquire and/or use 3rd party software services (PRE-T1085) related-to Acquire and/or use 3rd party software services (PRE-T1107)"
}, },
{ {
"meta": { "meta": {
@ -903,7 +898,7 @@
"target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957" "target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957"
}, },
"uuid": "597be8e7-58a4-4aff-a803-48a7a08164a2", "uuid": "597be8e7-58a4-4aff-a803-48a7a08164a2",
"value": "APT16 uses Discover target logon/email address format" "value": "APT16 (G0023) uses Discover target logon/email address format (PRE-T1032)"
}, },
{ {
"meta": { "meta": {
@ -911,7 +906,7 @@
"target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7" "target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7"
}, },
"uuid": "7a254f4d-c7cf-4b98-94e9-3937785b7d68", "uuid": "7a254f4d-c7cf-4b98-94e9-3937785b7d68",
"value": "APT12 uses Post compromise tool development" "value": "APT12 (G0005) uses Post compromise tool development (PRE-T1130)"
}, },
{ {
"meta": { "meta": {
@ -919,7 +914,12 @@
"target-uuid": "af358cad-eb71-4e91-a752-236edc237dae" "target-uuid": "af358cad-eb71-4e91-a752-236edc237dae"
}, },
"uuid": "46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb", "uuid": "46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb",
"value": "Conduct social engineering related-to Conduct social engineering" "value": "Conduct social engineering (PRE-T1056) related-to Conduct social engineering (PRE-T1045)"
} }
] ],
"authors": [
"MITRE"
],
"type": "mitre-pre-attack-relationship",
"name": "Pre Attack - Relationship"
} }

File diff suppressed because one or more lines are too long

View file

@ -7,7 +7,7 @@
], ],
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
"uuid": "312f8714-45cb-11e7-b898-135207cdceb9", "uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
"version": 7, "version": 9,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -2409,18 +2409,51 @@
"refs": [ "refs": [
"http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html" "http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html"
] ]
} },
"uuid": "7b107b46-4eca-11e8-b89f-0366ae765ddd"
}, },
{ {
"value": "Coldroot", "value": "Coldroot",
"description": "Coldroot, a remote access trojan (RAT), is still undetectable by most antivirus engines, despite being uploaded and freely available on GitHub for almost two years.\nThe RAT appears to have been created as a joke, \"to Play with Mac users,\" and \"give Mac it's rights in this [the RAT] field,\" but has since expanded to work all three major desktop operating systems — Linux, macOS, and Windows— according to a screenshot of its builder extracted from a promotional YouTube video.", "description": "Coldroot, a remote access trojan (RAT), is still undetectable by most antivirus engines, despite being uploaded and freely available on GitHub for almost two years.\nThe RAT appears to have been created as a joke, \"to Play with Mac users,\" and \"give Mac it's rights in this [the RAT] field,\" but has since expanded to work all three major desktop operating systems — Linux, macOS, and Windows— according to a screenshot of its builder extracted from a promotional YouTube video.",
"uuid": "0a1b71bc-21f6-11e8-8f58-371613fbbd8a", "uuid": "86f1f048-4eca-11e8-a08e-7708666ace6e",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/",
"https://github.com/xlinshan/Coldroot" "https://github.com/xlinshan/Coldroot"
] ]
} }
},
{
"value": "Comnie",
"description": "Comnie is a RAT originally identified by Sophos. It has been using Github, Tumbler and Blogspot as covert channels for its C2 communications. Comnie has been observed targetting government, defense, aerospace, high-tech and telecommunication sectors in Asia.",
"uuid": "d14806fe-4ecb-11e8-a120-ff726de6a4d3",
"meta": {
"refs": [
"https://exchange.xforce.ibmcloud.com/collection/East-Asia-Organizations-Victims-of-Comnie-Attack-12749a9dbc20e2f40b3ae99c43416d8c",
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/"
]
}
},
{
"value": "GravityRAT",
"description": "GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We've seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor. ",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
]
},
"uuid": "2d356870-4ecd-11e8-9bb8-e3ba5aa7da31"
},
{
"value": "Spymaster Pro",
"description": "Monitoring Software",
"meta": {
"refs": [
"https://www.spymasterpro.com/",
"https://spycellphone.mobi/reviews/spymaster-pro-real-review-with-screenshots"
]
},
"uuid": "e9f9d900-4f9a-11e8-bce9-4bfbb0e9ab4c"
} }
] ]
} }

View file

@ -465,7 +465,8 @@
"POTASSIUM", "POTASSIUM",
"DustStorm", "DustStorm",
"Red Apollo", "Red Apollo",
"CVNX" "CVNX",
"HOGFISH"
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
@ -1834,7 +1835,8 @@
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
"https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/",
"https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/",
"https://www.brighttalk.com/webcast/10703/261205" "https://www.brighttalk.com/webcast/10703/261205",
"https://github.com/eset/malware-research/tree/master/oceanlotus"
] ]
}, },
"value": "APT32", "value": "APT32",
@ -2477,6 +2479,202 @@
], ],
"country": "KP" "country": "KP"
} }
},
{
"value": "Leviathan",
"description": "Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"synonyms": [
"TEMP.Periscope"
],
"country": "CN"
},
"uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9"
},
{
"value": "APT34",
"description": "Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.",
"meta": {
"refs": [
"https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf",
"https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ ",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
],
"synonyms": [
"APT 34"
],
"country": "IR"
},
"uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda"
},
{
"value": "APT35",
"description": "FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.",
"meta": {
"refs": [
"https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf"
],
"synonyms": [
"APT 35",
"Newscaster Team"
],
"country": "IR"
},
"uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e"
},
{
"value": "Operation Parliament",
"description": "Kaspersky Lab has been tracking a series of attacks utilizing unknown malware since early 2017. The attacks appear to be geopolitically motivated and target high profile organizations. The objective of the attacks is clearly espionage they involve gaining access to top legislative, executive and judicial bodies around the world.",
"meta": {
"refs": [
"https://securelist.com/operation-parliament-who-is-doing-what/85237/"
]
},
"uuid": "20f2d3a4-3ee7-11e8-8e78-837fd23517e0"
},
{
"value": "Orangeworm",
"description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.",
"meta": {
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
]
},
"uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c"
},
{
"value": "ALLANITE",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection",
"since": "2017",
"capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec",
"victimology": "Electric utilities, US and UK",
"synonyms": [
"Palmetto Fusion"
]
},
"uuid": "a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470"
},
{
"value": "CHRYSENE",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "IT compromise, information gathering and recon against industrial orgs",
"since": "2017",
"capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR",
"victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America",
"synonyms": [
"OilRig",
"Greenbug"
]
},
"uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1"
},
{
"value": "COVELLITE",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs",
"since": "2017",
"capabilities": "Encoded binaries in documents, evasion techniques",
"victimology": "Electric Utilities, US",
"synonyms": [
"Lazarus",
"Hidden Cobra"
]
},
"uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b"
},
{
"value": "DYMALLOY",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
"since": "2016",
"capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz",
"victimology": "Turkey, Europe, US",
"synonyms": [
"Dragonfly2",
"Berserker Bear"
]
},
"uuid": "a08ab076-33c1-4350-b021-650c34277f2d"
},
{
"value": "ELECTRUM",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "Electric grid disruption and long-term persistence",
"since": "2016",
"capabilities": "CRASHOVERRIDE",
"victimology": "Ukraine, Electric Utilities",
"synonyms": [
"Sandworm"
]
},
"uuid": "a2d44915-6cff-43cf-8a53-f4850058ad05"
},
{
"value": "MAGNALLIUM",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "IT network limited, information gathering against industrial orgs",
"since": "2016",
"capabilities": "STONEDRILL wiper, variants of TURNEDUP malware",
"victimology": "Petrochemical, Aerospace, Saudi Arabia",
"synonyms": [
"APT33"
]
},
"uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2"
},
{
"value": "XENOTIME",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "Focused on physical destruction and long-term persistence",
"since": "2014",
"capabilities": "TRISIS, custom credential harvesting",
"victimology": "Oil and Gas, Middle East",
"synonyms": []
},
"uuid": "3dddc77e-a52a-466a-bf1c-1463e352077f"
},
{
"value": "ZooPark",
"description": "ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.",
"meta": {
"refs": [
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03095519/ZooPark_for_public_final.pdf"
]
},
"uuid": "4defbf2e-4f73-11e8-807f-578d61da7568"
} }
], ],
"name": "Threat actor", "name": "Threat actor",
@ -2491,5 +2689,5 @@
], ],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823", "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 35 "version": 39
} }

View file

@ -11,7 +11,7 @@
], ],
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"version": 58, "version": 68,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -1704,15 +1704,6 @@
"value": "DownRage", "value": "DownRage",
"uuid": "ab5c4362-c369-4c78-985d-04ba1226ea32" "uuid": "ab5c4362-c369-4c78-985d-04ba1226ea32"
}, },
{
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan"
]
},
"value": "Chthonic",
"uuid": "783f61a1-8210-4145-b801-53f71b909ebf"
},
{ {
"value": "GeminiDuke", "value": "GeminiDuke",
"description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.",
@ -3118,7 +3109,8 @@
"refs": [ "refs": [
"https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/",
"https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works",
"https://securityintelligence.com/trickbot-is-hand-picking-private-banks-for-targets-with-redirection-attacks-in-tow/" "https://securityintelligence.com/trickbot-is-hand-picking-private-banks-for-targets-with-redirection-attacks-in-tow/",
"https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-gets-screenlocker-component/"
], ],
"synonyms": [ "synonyms": [
"TrickBot", "TrickBot",
@ -3834,7 +3826,7 @@
"https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~ShipUp-A/detailed-analysis.aspx" "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~ShipUp-A/detailed-analysis.aspx"
] ]
}, },
"uuid": "231b7572-239f-11e8-8404-df420a5d403b" "uuid": "4613b76c-4966-44b6-bcd5-f74fa64deb18"
}, },
{ {
"value": "Neuron", "value": "Neuron",
@ -3856,6 +3848,17 @@
}, },
"uuid": "73cb7ecc-25e3-11e8-a97b-c35ec4e7dcf8" "uuid": "73cb7ecc-25e3-11e8-a97b-c35ec4e7dcf8"
}, },
{
"value": "Gamut Botnet",
"description": "Gamut was found to be downloaded by a Trojan Downloader that arrives as an attachment from a spam email message. The bot installation is quite simple. After the malware binary has been downloaded, it launches itself from its current directory, usually the Windows %Temp% folder and installs itself as a Windows service.\nThe malware utilizes an anti-VM (virtual machine) trick and terminates itself if it detects that it is running in a virtual machine environment. The bot uses INT 03h trap sporadically in its code, an anti-debugging technique which prevents its code from running within a debugger environment. It can also determine if it is being debugged by using the Kernel32 API - IsDebuggerPresent function.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/necurs-and-gamut-botnets-account-for-97-percent-of-the-internets-spam-emails/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/"
]
},
"uuid": "492879ac-285b-11e8-a06e-33f548e66e42"
},
{ {
"value": "CORALDECK", "value": "CORALDECK",
"description": "CORALDECK is an exfiltration tool that searches for specified files and exfiltrates them in password protected archives using hardcoded HTTP POST headers. CORALDECK has been observed dropping and using Winrar to exfiltrate data in password protected RAR files as well as WinImage and zip archives", "description": "CORALDECK is an exfiltration tool that searches for specified files and exfiltrates them in password protected archives using hardcoded HTTP POST headers. CORALDECK has been observed dropping and using Winrar to exfiltrate data in password protected RAR files as well as WinImage and zip archives",
@ -4068,6 +4071,107 @@
] ]
}, },
"uuid": "7b20b78a-df6e-40c7-9a3a-363f040cfad7" "uuid": "7b20b78a-df6e-40c7-9a3a-363f040cfad7"
},
{
"value": "SHARPKNOT",
"meta": {
"refs": [
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
]
},
"uuid": "3784c74-691a-4110-94f6-66e60224aa92"
},
{
"value": "KillDisk Wiper",
"description": "KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in late December 2015 against Ukraines energy sector as well as its banking, rail, and mining industries. The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and Linux platforms. The note accompanying the ransomware versions, like in the case of Petya, was a ruse: Because KillDisk also overwrites and deletes files (and dont store the encryption keys on disk or online), recovering the scrambled files was out of the question. The new variant we found, however, does not include a ransom note.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/"
],
"synonyms": [
"KillDisk"
]
},
"uuid": "aef0fdd4-38b6-11e8-afdd-3b6145112467"
},
{
"value": "UselessDisk",
"description": "A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered that overwrites the MBR of a victim's computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again. Might be a wiper.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/the-diskwriter-or-uselessdisk-bootlocker-may-be-a-wiper/"
],
"synonyms": [
"DiskWriter"
]
},
"uuid": "b5112fe0-38b6-11e8-af9f-6381b5e5403f"
},
{
"value": "GoScanSSH",
"description": "During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns. ",
"meta": {
"refs": [
"http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html",
"https://www.bleepingcomputer.com/news/security/goscanssh-malware-avoids-government-and-military-servers/"
]
},
"uuid": "8c0a7e1e-3cc4-11e8-8f03-2f71e72f737b"
},
{
"value": "Rovnix",
"description": "We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/"
],
"synonyms": [
"ROVNIX"
]
},
"uuid": "a4036a28-3d94-11e8-ad9f-97ada3c6d5fb"
},
{
"value": "Kwampirs",
"description": "Once Orangeworm has infiltrated a victims network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer. When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.",
"meta": {
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
]
},
"uuid": "d1e548b8-4793-11e8-8dea-6beff82cac0a"
},
{
"value": "Rubella Macro Builder",
"description": "A crimeware kit dubbed the Rubella Macro Builder has recently been gaining popularity among members of a top-tier Russian hacking forum. Despite being relatively new and unsophisticated, the kit has a clear appeal for cybercriminals: its cheap, fast, and can defeat basic static antivirus detection.",
"meta": {
"refs": [
"https://www.flashpoint-intel.com/blog/rubella-macro-builder/"
]
},
"uuid": "b7be6732-4ed5-11e8-8b82-dff39eb7a396"
},
{
"value": "kitty Malware",
"description": "Researchers at Imperva's Incapsula said a new piece malware called Kitty leaves a note for cat lovers. It attacks the Drupal content management system (CMS) to illegally mine cryptocurrency Monero.",
"meta": {
"refs": [
"https://www.zdnet.com/article/hello-kitty-malware-targets-drupal-to-mine-for-cryptocurrency/",
"https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/",
"https://cryptovest.com/news/hello-kitty-new-malware-me0ws-its-way-into-mining-monero/"
]
},
"uuid": "85d5da28-51f7-11e8-bbeb-af367d720136"
},
{
"value": "Maikspy",
"description": "We discovered a malware family called Maikspy — a multi-platform spyware that can steal users private data. The spyware targets Windows and Android users, and first posed as an adult game named after a popular U.S.-based adult film actress. Maikspy, which is an alias that combines the name of the adult film actress and spyware, has been around since 2016.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/maikspy-spyware-poses-as-adult-game-targets-windows-and-android-users/"
]
},
"uuid": "d83ec444-535c-11e8-ae83-831d0a85d77a"
} }
] ]
} }

View file

@ -0,0 +1,8 @@
{
"name": "Enterprise Attack - Attack Pattern",
"type": "mitre-enterprise-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"version": 3,
"icon": "map"
}

View file

@ -0,0 +1,8 @@
{
"name": "Enterprise Attack - Course of Action",
"type": "mitre-enterprise-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982",
"version": 3,
"icon": "chain"
}

View file

@ -1,8 +1,8 @@
{ {
"name": "Entreprise Attack -Intrusion Set", "name": "Enterprise Attack -Intrusion Set",
"type": "mitre-entreprise-attack-intrusion-set", "type": "mitre-enterprise-attack-intrusion-set",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee", "uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee",
"version": 1, "version": 3,
"icon": "user-secret" "icon": "user-secret"
} }

View file

@ -1,8 +1,8 @@
{ {
"name": "Entreprise Attack - Malware", "name": "Enterprise Attack - Malware",
"type": "mitre-entreprise-attack-malware", "type": "mitre-enterprise-attack-malware",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a", "uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a",
"version": 1, "version": 3,
"icon": "optin-monster" "icon": "optin-monster"
} }

View file

@ -0,0 +1,8 @@
{
"name": "Enterprise Attack - Relationship",
"type": "mitre-enterprise-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc404638-1707-11e8-a5cf-b78b9b562766",
"version": 3,
"icon": "link"
}

View file

@ -1,8 +1,8 @@
{ {
"name": "Entreprise Attack - Tool", "name": "Enterprise Attack - Tool",
"type": "mitre-entreprise-attack-tool", "type": "mitre-enterprise-attack-tool",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3", "uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3",
"version": 1, "version": 3,
"icon": "gavel" "icon": "gavel"
} }

View file

@ -1,8 +0,0 @@
{
"name": "Entreprise Attack - Attack Pattern",
"type": "mitre-entreprise-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"version": 1,
"icon": "map"
}

View file

@ -1,8 +0,0 @@
{
"name": "Entreprise Attack - Course of Action",
"type": "mitre-entreprise-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982",
"version": 1,
"icon": "chain"
}

View file

@ -1,8 +0,0 @@
{
"name": "Entreprise Attack - Relationship",
"type": "mitre-entreprise-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc404638-1707-11e8-a5cf-b78b9b562766",
"version": 1,
"icon": "link"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-attack-pattern", "type": "mitre-mobile-attack-attack-pattern",
"description": "ATT&CK Tactic", "description": "ATT&CK Tactic",
"uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5", "uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5",
"version": 1, "version": 2,
"icon": "map" "icon": "map"
} }

View file

@ -1,8 +1,8 @@
{ {
"uuid": "0282356a-1708-11e8-8f53-975633d5c03c", "name": "Mobile Attack - Course of Action",
"description": "ATT&CK Mitigation",
"version": 1,
"icon": "chain",
"type": "mitre-mobile-attack-course-of-action", "type": "mitre-mobile-attack-course-of-action",
"name": "Mobile Attack - Course of Action" "description": "ATT&CK Mitigation",
"uuid": "0282356a-1708-11e8-8f53-975633d5c03c",
"version": 2,
"icon": "chain"
} }

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-intrusion-set", "type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62", "uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62",
"version": 1, "version": 2,
"icon": "user-secret" "icon": "user-secret"
} }

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-malware", "type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18", "uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18",
"version": 1, "version": 2,
"icon": "optin-monster" "icon": "optin-monster"
} }

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-relationship", "type": "mitre-mobile-attack-relationship",
"description": "Mitre Relationship", "description": "Mitre Relationship",
"uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede", "uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede",
"version": 1, "version": 2,
"icon": "link" "icon": "link"
} }

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-tool", "type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91", "uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91",
"version": 1, "version": 2,
"icon": "gavel" "icon": "gavel"
} }

View file

@ -3,6 +3,6 @@
"type": "mitre-pre-attack-attack-pattern", "type": "mitre-pre-attack-attack-pattern",
"description": "ATT&CK Tactic", "description": "ATT&CK Tactic",
"uuid": "1f665850-1708-11e8-9cfe-4792b2a91402", "uuid": "1f665850-1708-11e8-9cfe-4792b2a91402",
"version": 1, "version": 2,
"icon": "map" "icon": "map"
} }

View file

@ -3,6 +3,6 @@
"type": "mitre-pre-attack-intrusion-set", "type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e", "uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e",
"version": 1, "version": 2,
"icon": "user-secret" "icon": "user-secret"
} }

View file

@ -1,8 +1,8 @@
{ {
"name": "Pre Attack - Relationship",
"type": "mitre-pre-attack-relashipship",
"description": "Mitre Relationship",
"uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae", "uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae",
"version": 1, "description": "Mitre Relationship",
"icon": "link" "version": 2,
"icon": "link",
"type": "mitre-pre-attack-relashipship",
"name": "Pre Attack - Relationship"
} }

View file

@ -6,7 +6,7 @@ import re
import os import os
import argparse import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s attack-patterns\nMust be in the mitre/cti/entreprise-attack/attack-pattern folder') parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s attack-patterns\nMust be in the mitre/cti/enterprise-attack/attack-pattern folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one") parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args() args = parser.parse_args()
@ -22,11 +22,11 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['refs'] = [] value['meta']['refs'] = []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp: if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources'] value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
@ -36,16 +36,16 @@ for element in os.listdir('.'):
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {} galaxy = {}
galaxy['name'] = "Entreprise Attack - Attack Pattern" galaxy['name'] = "Enterprise Attack - Attack Pattern"
galaxy['type'] = "mitre-entreprise-attack-attack-pattern" galaxy['type'] = "mitre-enterprise-attack-attack-pattern"
galaxy['description'] = "ATT&CK Tactic" galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "fa7016a8-1707-11e8-82d0-1b73d76eb204" galaxy['uuid' ] = "fa7016a8-1707-11e8-82d0-1b73d76eb204"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "map" galaxy['icon'] = "map"
cluster = {} cluster = {}
cluster['name'] = "Entreprise Attack - Attack Pattern" cluster['name'] = "Enterprise Attack - Attack Pattern"
cluster['type'] = "mitre-entreprise-attack-attack-pattern" cluster['type'] = "mitre-enterprise-attack-attack-pattern"
cluster['description'] = "ATT&CK tactic" cluster['description'] = "ATT&CK tactic"
cluster['version'] = args.version cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti" cluster['source'] = "https://github.com/mitre/cti"
@ -53,8 +53,8 @@ cluster['uuid' ] = "fb2242d8-1707-11e8-ab20-6fa7448c3640"
cluster['authors'] = ["MITRE"] cluster['authors'] = ["MITRE"]
cluster['values'] = values cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-attack-pattern.json', 'w') as galaxy_file: with open('generate/galaxies/mitre-enterprise-attack-attack-pattern.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4) json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-attack-pattern.json', 'w') as cluster_file: with open('generate/clusters/mitre-enterprise-attack-attack-pattern.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4) json.dump(cluster, cluster_file, indent=4)

View file

@ -6,7 +6,7 @@ import re
import os import os
import argparse import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s courses-of-action.\nMust be in the mitre/cti/entreprise-attack/course-of-action folder') parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s courses-of-action.\nMust be in the mitre/cti/enterprise-attack/course-of-action folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one") parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args() args = parser.parse_args()
@ -22,21 +22,21 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value) values.append(value)
galaxy = {} galaxy = {}
galaxy['name'] = "Entreprise Attack - Course of Action" galaxy['name'] = "Enterprise Attack - Course of Action"
galaxy['type'] = "mitre-entreprise-attack-course-of-action" galaxy['type'] = "mitre-enterprise-attack-course-of-action"
galaxy['description'] = "ATT&CK Mitigation" galaxy['description'] = "ATT&CK Mitigation"
galaxy['uuid' ] = "fb5a36c0-1707-11e8-81f5-d732b22a4982" galaxy['uuid' ] = "fb5a36c0-1707-11e8-81f5-d732b22a4982"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "chain" galaxy['icon'] = "chain"
cluster = {} cluster = {}
cluster['name'] = "Entreprise Attack - Course of Action" cluster['name'] = "Enterprise Attack - Course of Action"
cluster['type'] = "mitre-entreprise-attack-course-of-action" cluster['type'] = "mitre-enterprise-attack-course-of-action"
cluster['description'] = "ATT&CK Mitigation" cluster['description'] = "ATT&CK Mitigation"
cluster['version'] = args.version cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti" cluster['source'] = "https://github.com/mitre/cti"
@ -44,8 +44,8 @@ cluster['uuid' ] = "fb870a6a-1707-11e8-b548-17523e4d0670"
cluster['authors'] = ["MITRE"] cluster['authors'] = ["MITRE"]
cluster['values'] = values cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-course-of-action.json', 'w') as galaxy_file: with open('generate/galaxies/mitre-enterprise-attack-course-of-action.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4) json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-course-of-action.json', 'w') as cluster_file: with open('generate/clusters/mitre-enterprise-attack-course-of-action.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4) json.dump(cluster, cluster_file, indent=4)

View file

@ -6,7 +6,7 @@ import re
import os import os
import argparse import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/entreprise-attack/intrusion-set folder') parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/enterprise-attack/intrusion-set folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one") parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args() args = parser.parse_args()
@ -22,27 +22,27 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['synonyms'] = temp['aliases'] value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= [] value['meta']['refs']= []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value) values.append(value)
galaxy = {} galaxy = {}
galaxy['name'] = "Entreprise Attack -Intrusion Set" galaxy['name'] = "Enterprise Attack -Intrusion Set"
galaxy['type'] = "mitre-entreprise-attack-intrusion-set" galaxy['type'] = "mitre-enterprise-attack-intrusion-set"
galaxy['description'] = "Name of ATT&CK Group" galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "1f3b8c56-1708-11e8-b211-17a60c0f73ee" galaxy['uuid' ] = "1f3b8c56-1708-11e8-b211-17a60c0f73ee"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "user-secret" galaxy['icon'] = "user-secret"
cluster = {} cluster = {}
cluster['name'] = "Entreprise Attack -intrusion Set" cluster['name'] = "Enterprise Attack -intrusion Set"
cluster['type'] = "mitre-entreprise-attack-intrusion-set" cluster['type'] = "mitre-enterprise-attack-intrusion-set"
cluster['description'] = "Name of ATT&CK Group" cluster['description'] = "Name of ATT&CK Group"
cluster['version'] = args.version cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti" cluster['source'] = "https://github.com/mitre/cti"
@ -50,8 +50,8 @@ cluster['uuid' ] = "01f18402-1708-11e8-ac1c-1ffb3c4a7775"
cluster['authors'] = ["MITRE"] cluster['authors'] = ["MITRE"]
cluster['values'] = values cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-intrusion-set.json', 'w') as galaxy_file: with open('generate/galaxies/mitre-enterprise-attack-intrusion-set.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4) json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-intrusion-set.json', 'w') as cluster_file: with open('generate/clusters/mitre-enterprise-attack-intrusion-set.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4) json.dump(cluster, cluster_file, indent=4)

View file

@ -6,7 +6,7 @@ import re
import os import os
import argparse import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s malwares\nMust be in the mitre/cti/entreprise-attack/malware folder') parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s malwares\nMust be in the mitre/cti/enterprise-attack/malware folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one") parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args() args = parser.parse_args()
@ -22,28 +22,28 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['refs'] = [] value['meta']['refs'] = []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp: if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases'] value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value) values.append(value)
galaxy = {} galaxy = {}
galaxy['name'] = "Entreprise Attack - Malware" galaxy['name'] = "Enterprise Attack - Malware"
galaxy['type'] = "mitre-entreprise-attack-malware" galaxy['type'] = "mitre-enterprise-attack-malware"
galaxy['description'] = "Name of ATT&CK software" galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "fbb19af0-1707-11e8-9fd6-dbd88a04d33a" galaxy['uuid' ] = "fbb19af0-1707-11e8-9fd6-dbd88a04d33a"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "optin-monster" galaxy['icon'] = "optin-monster"
cluster = {} cluster = {}
cluster['name'] = "Entreprise Attack - Malware" cluster['name'] = "Enterprise Attack - Malware"
cluster['type'] = "mitre-entreprise-attack-malware" cluster['type'] = "mitre-enterprise-attack-malware"
cluster['description'] = "Name of ATT&CK software" cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti" cluster['source'] = "https://github.com/mitre/cti"
@ -51,8 +51,8 @@ cluster['uuid' ] = "fbd79f02-1707-11e8-b1c7-87406102276a"
cluster['authors'] = ["MITRE"] cluster['authors'] = ["MITRE"]
cluster['values'] = values cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-malware.json', 'w') as galaxy_file: with open('generate/galaxies/mitre-enterprise-attack-malware.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4) json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-malware.json', 'w') as cluster_file: with open('generate/clusters/mitre-enterprise-attack-malware.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4) json.dump(cluster, cluster_file, indent=4)

View file

@ -6,7 +6,7 @@ import re
import os import os
import argparse import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/entreprise-attack/relationship folder') parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/enterprise-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one") parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args() args = parser.parse_args()
@ -17,7 +17,7 @@ for element in os.listdir(path):
with open(path+element) as json_data: with open(path+element) as json_data:
d = json.load(json_data) d = json.load(json_data)
json_data.close() json_data.close()
temp = d['objects'][0] temp = d['objects'][0]
source = temp['source_ref'] source = temp['source_ref']
target = temp['target_ref'] target = temp['target_ref']
@ -72,20 +72,21 @@ for element in os.listdir(path):
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:] value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:] value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name'] value['value'] = s['objects'][0]['name'] + ' (' + s['objects'][0]['external_references'][0]['external_id'] + ') ' + relationship + ' ' + t['objects'][0]['name'] + ' (' + t['objects'][0]['external_references'][0]['external_id'] + ')'
# value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value) values.append(value)
galaxy = {} galaxy = {}
galaxy['name'] = "Entreprise Attack - Relationship" galaxy['name'] = "Enterprise Attack - Relationship"
galaxy['type'] = "mitre-entreprise-attack-relationship" galaxy['type'] = "mitre-enterprise-attack-relationship"
galaxy['description'] = "Mitre Relationship" galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "fc404638-1707-11e8-a5cf-b78b9b562766" galaxy['uuid' ] = "fc404638-1707-11e8-a5cf-b78b9b562766"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "link" galaxy['icon'] = "link"
cluster = {} cluster = {}
cluster['name'] = "Entreprise Attack - Relationship" cluster['name'] = "Enterprise Attack - Relationship"
cluster['type'] = "mitre-entreprise-attack-relationship" cluster['type'] = "mitre-enterprise-attack-relationship"
cluster['description'] = "MITRE Relationship" cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti" cluster['source'] = "https://github.com/mitre/cti"
@ -93,8 +94,8 @@ cluster['uuid' ] = "fc605f90-1707-11e8-9d6a-9f165ac2ab5c"
cluster['authors'] = ["MITRE"] cluster['authors'] = ["MITRE"]
cluster['values'] = values cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-relationship.json', 'w') as galaxy_file: with open('generate/galaxies/mitre-enterprise-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4) json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-relationship.json', 'w') as cluster_file: with open('generate/clusters/mitre-enterprise-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4) json.dump(cluster, cluster_file, indent=4)

View file

@ -6,7 +6,7 @@ import re
import os import os
import argparse import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s tools\nMust be in the mitre/cti/entreprise-attack/tool folder') parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s tools\nMust be in the mitre/cti/enterprise-attack/tool folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one") parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args() args = parser.parse_args()
@ -22,28 +22,28 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['refs'] = [] value['meta']['refs'] = []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp: if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases'] value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value) values.append(value)
galaxy = {} galaxy = {}
galaxy['name'] = "Entreprise Attack - Tool" galaxy['name'] = "Enterprise Attack - Tool"
galaxy['type'] = "mitre-entreprise-attack-tool" galaxy['type'] = "mitre-enterprise-attack-tool"
galaxy['description'] = "Name of ATT&CK software" galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "fbfa0470-1707-11e8-be22-eb46b373fdd3" galaxy['uuid' ] = "fbfa0470-1707-11e8-be22-eb46b373fdd3"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "gavel" galaxy['icon'] = "gavel"
cluster = {} cluster = {}
cluster['name'] = "Entreprise Attack - Tool" cluster['name'] = "Enterprise Attack - Tool"
cluster['type'] = "mitre-entreprise-attack-tool" cluster['type'] = "mitre-enterprise-attack-tool"
cluster['description'] = "Name of ATT&CK software" cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti" cluster['source'] = "https://github.com/mitre/cti"
@ -51,8 +51,8 @@ cluster['uuid' ] = "fc1ea6e0-1707-11e8-ac05-2b70d00c354e"
cluster['authors'] = ["MITRE"] cluster['authors'] = ["MITRE"]
cluster['values'] = values cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-tool.json', 'w') as galaxy_file: with open('generate/galaxies/mitre-enterprise-attack-tool.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4) json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-tool.json', 'w') as cluster_file: with open('generate/clusters/mitre-enterprise-attack-tool.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4) json.dump(cluster, cluster_file, indent=4)

View file

@ -22,11 +22,11 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['refs'] = [] value['meta']['refs'] = []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp: if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources'] value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
@ -43,7 +43,7 @@ galaxy['uuid' ] = "1c6d1332-1708-11e8-847c-e3c5643c41a5"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "map" galaxy['icon'] = "map"
cluster = {} cluster = {}
cluster['name'] = "Mobile Attack - Attack Pattern" cluster['name'] = "Mobile Attack - Attack Pattern"
cluster['type'] = "mitre-mobile-attack-attack-pattern" cluster['type'] = "mitre-mobile-attack-attack-pattern"
cluster['description'] = "ATT&CK tactic" cluster['description'] = "ATT&CK tactic"

View file

@ -22,7 +22,7 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value) values.append(value)
@ -34,7 +34,7 @@ galaxy['uuid' ] = "0282356a-1708-11e8-8f53-975633d5c03c"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "chain" galaxy['icon'] = "chain"
cluster = {} cluster = {}
cluster['name'] = "Mobile Attack - Course of Action" cluster['name'] = "Mobile Attack - Course of Action"
cluster['type'] = "mitre-mobile-attack-course-of-action" cluster['type'] = "mitre-mobile-attack-course-of-action"
cluster['description'] = "ATT&CK Mitigation" cluster['description'] = "ATT&CK Mitigation"

View file

@ -22,12 +22,12 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['synonyms'] = temp['aliases'] value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= [] value['meta']['refs']= []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value) values.append(value)
@ -40,7 +40,7 @@ galaxy['uuid' ] = "0314e554-1708-11e8-b049-8f8a42b5bb62"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "user-secret" galaxy['icon'] = "user-secret"
cluster = {} cluster = {}
cluster['name'] = "Mobile Attack - intrusion Set" cluster['name'] = "Mobile Attack - intrusion Set"
cluster['type'] = "mitre-mobile-attack-intrusion-set" cluster['type'] = "mitre-mobile-attack-intrusion-set"
cluster['description'] = "Name of ATT&CK Group" cluster['description'] = "Name of ATT&CK Group"

View file

@ -22,14 +22,14 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['refs'] = [] value['meta']['refs'] = []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp: if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases'] value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value) values.append(value)
@ -41,7 +41,7 @@ galaxy['uuid' ] = "03e3853a-1708-11e8-95c1-67cf3f801a18"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "optin-monster" galaxy['icon'] = "optin-monster"
cluster = {} cluster = {}
cluster['name'] = "Mobile Attack - Malware" cluster['name'] = "Mobile Attack - Malware"
cluster['type'] = "mitre-mobile-attack-malware" cluster['type'] = "mitre-mobile-attack-malware"
cluster['description'] = "Name of ATT&CK software" cluster['description'] = "Name of ATT&CK software"

View file

@ -17,7 +17,7 @@ for element in os.listdir(path):
with open(path+element) as json_data: with open(path+element) as json_data:
d = json.load(json_data) d = json.load(json_data)
json_data.close() json_data.close()
temp = d['objects'][0] temp = d['objects'][0]
source = temp['source_ref'] source = temp['source_ref']
target = temp['target_ref'] target = temp['target_ref']
@ -72,7 +72,7 @@ for element in os.listdir(path):
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:] value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:] value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name'] value['value'] = s['objects'][0]['name'] + ' (' + s['objects'][0]['external_references'][0]['external_id'] + ') ' + relationship + ' ' + t['objects'][0]['name'] + ' (' + t['objects'][0]['external_references'][0]['external_id'] + ')'
values.append(value) values.append(value)
galaxy = {} galaxy = {}
@ -83,7 +83,7 @@ galaxy['uuid' ] = "fc8471aa-1707-11e8-b306-33cbe96a1ede"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "link" galaxy['icon'] = "link"
cluster = {} cluster = {}
cluster['name'] = "Mobile Attack - Relationship" cluster['name'] = "Mobile Attack - Relationship"
cluster['type'] = "mitre-mobile-attack-relationship" cluster['type'] = "mitre-mobile-attack-relationship"
cluster['description'] = "MITRE Relationship" cluster['description'] = "MITRE Relationship"

View file

@ -22,14 +22,14 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['refs'] = [] value['meta']['refs'] = []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp: if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases'] value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value) values.append(value)
@ -41,7 +41,7 @@ galaxy['uuid' ] = "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "gavel" galaxy['icon'] = "gavel"
cluster = {} cluster = {}
cluster['name'] = "Mobile Attack - Tool" cluster['name'] = "Mobile Attack - Tool"
cluster['type'] = "mitre-mobile-attack-tool" cluster['type'] = "mitre-mobile-attack-tool"
cluster['description'] = "Name of ATT&CK software" cluster['description'] = "Name of ATT&CK software"

View file

@ -22,11 +22,11 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['refs'] = [] value['meta']['refs'] = []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp: if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources'] value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
@ -43,7 +43,7 @@ galaxy['uuid' ] = "1f665850-1708-11e8-9cfe-4792b2a91402"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "map" galaxy['icon'] = "map"
cluster = {} cluster = {}
cluster['name'] = "Pre Attack - Attack Pattern" cluster['name'] = "Pre Attack - Attack Pattern"
cluster['type'] = "mitre-pre-attack-attack-pattern" cluster['type'] = "mitre-pre-attack-attack-pattern"
cluster['description'] = "ATT&CK tactic" cluster['description'] = "ATT&CK tactic"

View file

@ -22,12 +22,12 @@ for element in os.listdir('.'):
value = {} value = {}
value['description'] = temp['description'] value['description'] = temp['description']
value['value'] = temp['name'] value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {} value['meta'] = {}
value['meta']['synonyms'] = temp['aliases'] value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= [] value['meta']['refs']= []
for reference in temp['external_references']: for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value) values.append(value)
@ -40,7 +40,7 @@ galaxy['uuid' ] = "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "user-secret" galaxy['icon'] = "user-secret"
cluster = {} cluster = {}
cluster['name'] = "Pre Attack - intrusion Set" cluster['name'] = "Pre Attack - intrusion Set"
cluster['type'] = "mitre-pre-attack-intrusion-set" cluster['type'] = "mitre-pre-attack-intrusion-set"
cluster['description'] = "Name of ATT&CK Group" cluster['description'] = "Name of ATT&CK Group"

View file

@ -17,7 +17,7 @@ for element in os.listdir(path):
with open(path+element) as json_data: with open(path+element) as json_data:
d = json.load(json_data) d = json.load(json_data)
json_data.close() json_data.close()
temp = d['objects'][0] temp = d['objects'][0]
source = temp['source_ref'] source = temp['source_ref']
target = temp['target_ref'] target = temp['target_ref']
@ -66,13 +66,14 @@ for element in os.listdir(path):
with open(patht+target+'.json') as json_data: with open(patht+target+'.json') as json_data:
t = json.load(json_data) t = json.load(json_data)
json_data.close() json_data.close()
value = {} value = {}
value['meta'] = {} value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:] value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:] value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name'] value['value'] = s['objects'][0]['name'] + ' (' + s['objects'][0]['external_references'][0]['external_id'] + ') ' + relationship + ' ' + t['objects'][0]['name'] + ' (' + t['objects'][0]['external_references'][0]['external_id'] + ')'
# value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value) values.append(value)
galaxy = {} galaxy = {}
@ -83,7 +84,7 @@ galaxy['uuid' ] = "1f8e3bae-1708-11e8-8e97-4bd2150e5aae"
galaxy['version'] = args.version galaxy['version'] = args.version
galaxy['icon'] = "link" galaxy['icon'] = "link"
cluster = {} cluster = {}
cluster['name'] = "Pre Attack - Relationship" cluster['name'] = "Pre Attack - Relationship"
cluster['type'] = "mitre-pre-attack-relationship" cluster['type'] = "mitre-pre-attack-relationship"
cluster['description'] = "MITRE Relationship" cluster['description'] = "MITRE Relationship"