This commit is contained in:
Deborah Servili 2018-05-19 12:57:20 +02:00
parent 730353f63d
commit f6d7291e7a
24 changed files with 17210 additions and 17210 deletions

File diff suppressed because one or more lines are too long

View file

@ -114,7 +114,7 @@
} }
}, },
{ {
"description": "The sudoers file should be strictly edited such that passwords are always required and that users can\u2019t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.", "description": "The sudoers file should be strictly edited such that passwords are always required and that users cant spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.",
"value": "Sudo Mitigation - T1169", "value": "Sudo Mitigation - T1169",
"uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", "uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c",
"meta": { "meta": {
@ -466,7 +466,7 @@
} }
}, },
{ {
"description": "Monitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using Valid Accounts if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nOn Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)\n\nManage the access control list for \u201cReplicating Directory Changes\u201d and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)\n\nConsider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)", "description": "Monitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using Valid Accounts if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nOn Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)\n\nManage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)\n\nConsider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)",
"value": "Credential Dumping Mitigation - T1003", "value": "Credential Dumping Mitigation - T1003",
"uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a", "uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a",
"meta": { "meta": {
@ -506,7 +506,7 @@
} }
}, },
{ {
"description": "Since StartupItems are deprecated, preventing all users from writing to the <code>/Library/StartupItems</code> directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can\u2019t be leveraged for privilege escalation.", "description": "Since StartupItems are deprecated, preventing all users from writing to the <code>/Library/StartupItems</code> directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they cant be leveraged for privilege escalation.",
"value": "Startup Items Mitigation - T1165", "value": "Startup Items Mitigation - T1165",
"uuid": "94927849-03e3-4a07-8f4c-9ee21b626719", "uuid": "94927849-03e3-4a07-8f4c-9ee21b626719",
"meta": { "meta": {
@ -850,7 +850,7 @@
} }
}, },
{ {
"description": "Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.", "description": "Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasnt included as part of an update, it should be investigated.",
"value": "LC_LOAD_DYLIB Addition Mitigation - T1161", "value": "LC_LOAD_DYLIB Addition Mitigation - T1161",
"uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604", "uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604",
"meta": { "meta": {
@ -1122,7 +1122,7 @@
} }
}, },
{ {
"description": "Prevent users from changing the <code>HISTCONTROL</code> environment variable (Citation: Securing bash history). Also, make sure that the <code>HISTCONTROL</code> environment variable is set to \u201cignoredup\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.", "description": "Prevent users from changing the <code>HISTCONTROL</code> environment variable (Citation: Securing bash history). Also, make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredup” instead of “ignoreboth” or “ignorespace”.",
"value": "HISTCONTROL Mitigation - T1148", "value": "HISTCONTROL Mitigation - T1148",
"uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330", "uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330",
"meta": { "meta": {
@ -1698,8 +1698,8 @@
} }
}, },
{ {
"description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough Process Doppelg\u00e4nging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough Process Doppelgänging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"value": "Process Doppelg\u00e4nging Mitigation - T1186", "value": "Process Doppelgänging Mitigation - T1186",
"uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31", "uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31",
"meta": { "meta": {
"external_id": "T1186" "external_id": "T1186"

View file

@ -429,7 +429,7 @@
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a" "uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a"
}, },
{ {
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", "description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1 - G0006", "value": "APT1 - G0006",
"meta": { "meta": {
"synonyms": [ "synonyms": [
@ -563,7 +563,7 @@
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8" "uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
}, },
{ {
"description": "Naikon is a threat group that has focused on targets around the South China Sea. (Citation: Baumgartner Naikon 2015) The group has been attributed to the Chinese People\u2019s Liberation Army\u2019s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). (Citation: CameraShy) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)", "description": "Naikon is a threat group that has focused on targets around the South China Sea. (Citation: Baumgartner Naikon 2015) The group has been attributed to the Chinese Peoples Liberation Armys (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). (Citation: CameraShy) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
"value": "Naikon - G0019", "value": "Naikon - G0019",
"meta": { "meta": {
"synonyms": [ "synonyms": [
@ -797,7 +797,7 @@
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9" "uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9"
}, },
{ {
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi\u2011Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. (Citation: Kaspersky Darkhotel)", "description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center WiFi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. (Citation: Kaspersky Darkhotel)",
"value": "Darkhotel - G0012", "value": "Darkhotel - G0012",
"meta": { "meta": {
"synonyms": [ "synonyms": [
@ -987,7 +987,7 @@
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f" "uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f"
}, },
{ {
"description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA\u2019s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)", "description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)",
"value": "Putter Panda - G0024", "value": "Putter Panda - G0024",
"meta": { "meta": {
"synonyms": [ "synonyms": [

View file

@ -1264,7 +1264,7 @@
"uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69" "uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69"
}, },
{ {
"description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as \u201cScout\u201d and \u201cNorton.\u201d (Citation: FireEye APT30)\n\nAliases: NETEAGLE", "description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)\n\nAliases: NETEAGLE",
"value": "NETEAGLE - S0034", "value": "NETEAGLE - S0034",
"meta": { "meta": {
"refs": [ "refs": [

View file

@ -10,7 +10,7 @@
], ],
"values": [ "values": [
{ {
"description": "is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) is unique in that it is a GNU/Linux based client. (Citation: \u00dcberwachung APT28 Forfiles June 2015)\n\nAliases: Winexe", "description": "is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)\n\nAliases: Winexe",
"value": "Winexe - S0191", "value": "Winexe - S0191",
"meta": { "meta": {
"refs": [ "refs": [
@ -460,7 +460,7 @@
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" "uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
}, },
{ {
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a system\u2019s registry. (Citation: Mandiant APT1)\n\nAliases: Cachedump", "description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry. (Citation: Mandiant APT1)\n\nAliases: Cachedump",
"value": "Cachedump - S0119", "value": "Cachedump - S0119",
"meta": { "meta": {
"refs": [ "refs": [
@ -682,7 +682,7 @@
"uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555" "uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555"
}, },
{ {
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike\n\nContributors: Josh Abraham", "description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike\n\nContributors: Josh Abraham",
"value": "Cobalt Strike - S0154", "value": "Cobalt Strike - S0154",
"meta": { "meta": {
"refs": [ "refs": [

View file

@ -85,7 +85,7 @@
"uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e" "uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e"
}, },
{ {
"description": "Lookout states that some variants of the Shedun, Shuanet, and ShiftyBug/Kemoge Android malware families \"have 71 percent to 82 percent code similarity\" (Citation: Lookout-Adware), even though they \"don\u2019t believe these apps were all created by the same author or group\".\n\nAliases: Shedun, Shuanet, ShiftyBug, Kemoge", "description": "Lookout states that some variants of the Shedun, Shuanet, and ShiftyBug/Kemoge Android malware families \"have 71 percent to 82 percent code similarity\" (Citation: Lookout-Adware), even though they \"dont believe these apps were all created by the same author or group\".\n\nAliases: Shedun, Shuanet, ShiftyBug, Kemoge",
"value": "Shedun - MOB-S0010", "value": "Shedun - MOB-S0010",
"meta": { "meta": {
"refs": [ "refs": [
@ -275,7 +275,7 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0036", "https://attack.mitre.org/mobile/index.php/Software/MOB-S0036",
"https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat", "https://www.zscaler.com/blogs/research/super-mario-run-malware-2--droidjack-rat",
"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app" "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
], ],
"external_id": "MOB-S0036", "external_id": "MOB-S0036",
@ -406,7 +406,7 @@
"uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533" "uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533"
}, },
{ {
"description": "According to Lookout (Citation: Lookout-EnterpriseApps), the PJApps Android malware family \"may collect and leak the victim\u2019s phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.\"\n\nAliases: PJApps", "description": "According to Lookout (Citation: Lookout-EnterpriseApps), the PJApps Android malware family \"may collect and leak the victims phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.\"\n\nAliases: PJApps",
"value": "PJApps - MOB-S0007", "value": "PJApps - MOB-S0007",
"meta": { "meta": {
"refs": [ "refs": [

View file

@ -87,7 +87,7 @@
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb" "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
}, },
{ {
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", "description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1 - G0006", "value": "APT1 - G0006",
"meta": { "meta": {
"synonyms": [ "synonyms": [