mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
3728 lines
122 KiB
JSON
3728 lines
122 KiB
JSON
{
|
||
"authors": [
|
||
"MITRE"
|
||
],
|
||
"category": "tool",
|
||
"description": "Name of ATT&CK software",
|
||
"name": "Tool",
|
||
"source": "https://github.com/mitre/cti",
|
||
"type": "mitre-tool",
|
||
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0",
|
||
"values": [
|
||
{
|
||
"description": "[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)",
|
||
"meta": {
|
||
"external_id": "S0005",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0005",
|
||
"http://www.ampliasecurity.com/research/wcefaq.html"
|
||
],
|
||
"synonyms": [
|
||
"Windows Credential Editor",
|
||
"WCE"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
|
||
"value": "Windows Credential Editor - S0005"
|
||
},
|
||
{
|
||
"description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)",
|
||
"meta": {
|
||
"external_id": "S0122",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0122",
|
||
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
|
||
],
|
||
"synonyms": [
|
||
"Pass-The-Hash Toolkit"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
|
||
"value": "Pass-The-Hash Toolkit - S0122"
|
||
},
|
||
{
|
||
"description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)",
|
||
"meta": {
|
||
"external_id": "S0154",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0154",
|
||
"https://cobaltstrike.com/downloads/csmanual38.pdf"
|
||
],
|
||
"synonyms": [
|
||
"Cobalt Strike"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "3da22160-12d9-4d27-a99f-338e8de3844a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
|
||
"value": "Cobalt Strike - S0154"
|
||
},
|
||
{
|
||
"description": "[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)",
|
||
"meta": {
|
||
"external_id": "S0231",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0231",
|
||
"https://github.com/peewpw/Invoke-PSImage"
|
||
],
|
||
"synonyms": [
|
||
"Invoke-PSImage"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f",
|
||
"value": "Invoke-PSImage - S0231"
|
||
},
|
||
{
|
||
"description": "[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)",
|
||
"meta": {
|
||
"external_id": "S0100",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0100",
|
||
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
|
||
],
|
||
"synonyms": [
|
||
"ipconfig",
|
||
"ipconfig.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
|
||
"value": "ipconfig - S0100"
|
||
},
|
||
{
|
||
"description": "[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)",
|
||
"meta": {
|
||
"external_id": "S0002",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0002",
|
||
"https://github.com/gentilkiwi/mimikatz",
|
||
"https://adsecurity.org/?page_id=1821"
|
||
],
|
||
"synonyms": [
|
||
"Mimikatz"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "7f3a035d-d83a-45b8-8111-412aa8ade802",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
|
||
"value": "Mimikatz - S0002"
|
||
},
|
||
{
|
||
"description": "[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)",
|
||
"meta": {
|
||
"external_id": "S0040",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0040",
|
||
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
|
||
"https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
|
||
],
|
||
"synonyms": [
|
||
"HTRAN",
|
||
"HUC Packet Transmit Tool"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
|
||
"value": "HTRAN - S0040"
|
||
},
|
||
{
|
||
"description": "[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)",
|
||
"meta": {
|
||
"external_id": "S0006",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0006",
|
||
"https://en.wikipedia.org/wiki/Pwdump"
|
||
],
|
||
"synonyms": [
|
||
"pwdump"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700",
|
||
"value": "pwdump - S0006"
|
||
},
|
||
{
|
||
"description": "[gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)",
|
||
"meta": {
|
||
"external_id": "S0008",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0008",
|
||
"https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5"
|
||
],
|
||
"synonyms": [
|
||
"gsecdump"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8410d208-7450-407d-b56c-e5c1ced19632",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
|
||
"value": "gsecdump - S0008"
|
||
},
|
||
{
|
||
"description": "[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At)",
|
||
"meta": {
|
||
"external_id": "S0110",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0110",
|
||
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
|
||
],
|
||
"synonyms": [
|
||
"at",
|
||
"at.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
|
||
"value": "at - S0110"
|
||
},
|
||
{
|
||
"description": "[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)",
|
||
"meta": {
|
||
"external_id": "S0101",
|
||
"mitre_platforms": [
|
||
"Linux"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0101",
|
||
"https://en.wikipedia.org/wiki/Ifconfig"
|
||
],
|
||
"synonyms": [
|
||
"ifconfig"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
|
||
"value": "ifconfig - S0101"
|
||
},
|
||
{
|
||
"description": "[Fgdump](https://attack.mitre.org/software/S0120) is a Windows password hash dumper. (Citation: Mandiant APT1)",
|
||
"meta": {
|
||
"external_id": "S0120",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0120",
|
||
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
|
||
],
|
||
"synonyms": [
|
||
"Fgdump"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
|
||
"value": "Fgdump - S0120"
|
||
},
|
||
{
|
||
"description": "[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)",
|
||
"meta": {
|
||
"external_id": "S0102",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0102",
|
||
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
|
||
],
|
||
"synonyms": [
|
||
"nbtstat",
|
||
"nbtstat.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
|
||
"value": "nbtstat - S0102"
|
||
},
|
||
{
|
||
"description": "[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)",
|
||
"meta": {
|
||
"external_id": "S0103",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0103",
|
||
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
|
||
],
|
||
"synonyms": [
|
||
"route",
|
||
"route.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
|
||
"value": "route - S0103"
|
||
},
|
||
{
|
||
"description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
|
||
"meta": {
|
||
"external_id": "S0104",
|
||
"mitre_platforms": [
|
||
"Windows",
|
||
"Linux",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0104",
|
||
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
|
||
],
|
||
"synonyms": [
|
||
"netstat",
|
||
"netstat.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
|
||
"value": "netstat - S0104"
|
||
},
|
||
{
|
||
"description": "[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.",
|
||
"meta": {
|
||
"external_id": "S0105",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0105",
|
||
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
|
||
],
|
||
"synonyms": [
|
||
"dsquery",
|
||
"dsquery.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
|
||
"value": "dsquery - S0105"
|
||
},
|
||
{
|
||
"description": "[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)).",
|
||
"meta": {
|
||
"external_id": "S0106",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0106",
|
||
"https://technet.microsoft.com/en-us/library/bb490880.aspx",
|
||
"https://technet.microsoft.com/en-us/library/cc755121.aspx",
|
||
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
|
||
"https://technet.microsoft.com/en-us/library/bb490886.aspx"
|
||
],
|
||
"synonyms": [
|
||
"cmd",
|
||
"cmd.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
|
||
"value": "cmd - S0106"
|
||
},
|
||
{
|
||
"description": "[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)",
|
||
"meta": {
|
||
"external_id": "S0160",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0160",
|
||
"https://technet.microsoft.com/library/cc732443.aspx"
|
||
],
|
||
"synonyms": [
|
||
"certutil",
|
||
"certutil.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "3e205e84-9f90-4b4b-8896-c82189936a15",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
|
||
"value": "certutil - S0160"
|
||
},
|
||
{
|
||
"description": "[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)",
|
||
"meta": {
|
||
"external_id": "S0108",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0108",
|
||
"https://technet.microsoft.com/library/bb490939.aspx"
|
||
],
|
||
"synonyms": [
|
||
"netsh",
|
||
"netsh.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
|
||
"value": "netsh - S0108"
|
||
},
|
||
{
|
||
"description": "[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)",
|
||
"meta": {
|
||
"external_id": "S0190",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0190",
|
||
"https://msdn.microsoft.com/library/aa362813.aspx"
|
||
],
|
||
"synonyms": [
|
||
"BITSAdmin"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "64764dc6-a032-495f-8250-1e4c06bdc163",
|
||
"value": "BITSAdmin - S0190"
|
||
},
|
||
{
|
||
"description": "[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool. [Koadic](https://attack.mitre.org/software/S0250) is publicly available on GitHub and the tool is executed via the command-line. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants. [Koadic](https://attack.mitre.org/software/S0250) performs most of its operations using Windows Script Host. (Citation: Github Koadic) (Citation: Palo Alto Sofacy 06-2018)",
|
||
"meta": {
|
||
"external_id": "S0250",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0250",
|
||
"https://github.com/zerosum0x0/koadic",
|
||
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/"
|
||
],
|
||
"synonyms": [
|
||
"Koadic"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4",
|
||
"value": "Koadic - S0250"
|
||
},
|
||
{
|
||
"description": "[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)",
|
||
"meta": {
|
||
"external_id": "S0029",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0029",
|
||
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
|
||
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
|
||
],
|
||
"synonyms": [
|
||
"PsExec"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "6dd05630-9bd8-11e8-a8b9-47ce338a4367",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
|
||
"value": "PsExec - S0029"
|
||
},
|
||
{
|
||
"description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.",
|
||
"meta": {
|
||
"external_id": "S0039",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0039",
|
||
"https://msdn.microsoft.com/en-us/library/aa939914",
|
||
"http://windowsitpro.com/windows/netexe-reference"
|
||
],
|
||
"synonyms": [
|
||
"Net",
|
||
"net.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "03342581-f790-4f03-ba41-e82e67392e23",
|
||
"value": "Net - S0039"
|
||
},
|
||
{
|
||
"description": "[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as [Reg](https://attack.mitre.org/software/S0075) are known to be used by persistent threats. (Citation: Windows Commands JPCERT)",
|
||
"meta": {
|
||
"external_id": "S0075",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0075",
|
||
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
|
||
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
|
||
],
|
||
"synonyms": [
|
||
"Reg",
|
||
"reg.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
|
||
"value": "Reg - S0075"
|
||
},
|
||
{
|
||
"description": "The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)",
|
||
"meta": {
|
||
"external_id": "S0057",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0057",
|
||
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
|
||
],
|
||
"synonyms": [
|
||
"Tasklist"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
|
||
"value": "Tasklist - S0057"
|
||
},
|
||
{
|
||
"description": "[FTP](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)",
|
||
"meta": {
|
||
"external_id": "S0095",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0095",
|
||
"https://en.wikipedia.org/wiki/File_Transfer_Protocol"
|
||
],
|
||
"synonyms": [
|
||
"FTP",
|
||
"ftp.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
|
||
"value": "FTP - S0095"
|
||
},
|
||
{
|
||
"description": "[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)",
|
||
"meta": {
|
||
"external_id": "S0096",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0096",
|
||
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
|
||
],
|
||
"synonyms": [
|
||
"systeminfo.exe",
|
||
"Systeminfo"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
|
||
"value": "Systeminfo - S0096"
|
||
},
|
||
{
|
||
"description": "[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)",
|
||
"meta": {
|
||
"external_id": "S0097",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0097",
|
||
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
|
||
],
|
||
"synonyms": [
|
||
"ping.exe",
|
||
"Ping"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
|
||
"value": "Ping - S0097"
|
||
},
|
||
{
|
||
"description": "[Arp](https://attack.mitre.org/software/S0099) displays information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)",
|
||
"meta": {
|
||
"external_id": "S0099",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0099",
|
||
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
|
||
],
|
||
"synonyms": [
|
||
"Arp",
|
||
"arp.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
|
||
"value": "Arp - S0099"
|
||
},
|
||
{
|
||
"description": "[schtasks](https://attack.mitre.org/software/S0111) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)",
|
||
"meta": {
|
||
"external_id": "S0111",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0111",
|
||
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
|
||
],
|
||
"synonyms": [
|
||
"schtasks",
|
||
"schtasks.exe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
|
||
"value": "schtasks - S0111"
|
||
},
|
||
{
|
||
"description": "[Lslsass](https://attack.mitre.org/software/S0121) is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)",
|
||
"meta": {
|
||
"external_id": "S0121",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0121",
|
||
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
|
||
],
|
||
"synonyms": [
|
||
"Lslsass"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b",
|
||
"value": "Lslsass - S0121"
|
||
},
|
||
{
|
||
"description": "[UACMe](https://attack.mitre.org/software/S0116) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)",
|
||
"meta": {
|
||
"external_id": "S0116",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0116",
|
||
"https://github.com/hfiref0x/UACME"
|
||
],
|
||
"synonyms": [
|
||
"UACMe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
|
||
"value": "UACMe - S0116"
|
||
},
|
||
{
|
||
"description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)",
|
||
"meta": {
|
||
"external_id": "S0119",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0119",
|
||
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
|
||
],
|
||
"synonyms": [
|
||
"Cachedump"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
|
||
"value": "Cachedump - S0119"
|
||
},
|
||
{
|
||
"description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)",
|
||
"meta": {
|
||
"external_id": "S0191",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0191",
|
||
"https://github.com/skalkoto/winexe/",
|
||
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
|
||
],
|
||
"synonyms": [
|
||
"Winexe"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d",
|
||
"value": "Winexe - S0191"
|
||
},
|
||
{
|
||
"description": "[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)",
|
||
"meta": {
|
||
"external_id": "S0123",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0123",
|
||
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
|
||
],
|
||
"synonyms": [
|
||
"xCmd"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
|
||
"value": "xCmd - S0123"
|
||
},
|
||
{
|
||
"description": "[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)",
|
||
"meta": {
|
||
"external_id": "S0192",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS",
|
||
"Android"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0192",
|
||
"https://github.com/n1nj4sec/pupy"
|
||
],
|
||
"synonyms": [
|
||
"Pupy"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "bdb420be-5882-41c8-b439-02bbef69d83f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
|
||
"value": "Pupy - S0192"
|
||
},
|
||
{
|
||
"description": "[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)",
|
||
"meta": {
|
||
"external_id": "S0361",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0361",
|
||
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand",
|
||
"http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/"
|
||
],
|
||
"synonyms": [
|
||
"Expand"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973",
|
||
"value": "Expand - S0361"
|
||
},
|
||
{
|
||
"description": "[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)",
|
||
"meta": {
|
||
"external_id": "S0183",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0183",
|
||
"http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf"
|
||
],
|
||
"synonyms": [
|
||
"Tor"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
|
||
"value": "Tor - S0183"
|
||
},
|
||
{
|
||
"description": "[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)",
|
||
"meta": {
|
||
"external_id": "S0193",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0193",
|
||
"https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)"
|
||
],
|
||
"synonyms": [
|
||
"Forfiles"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2",
|
||
"value": "Forfiles - S0193"
|
||
},
|
||
{
|
||
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)",
|
||
"meta": {
|
||
"external_id": "S0174",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0174",
|
||
"https://github.com/SpiderLabs/Responder"
|
||
],
|
||
"synonyms": [
|
||
"Responder"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
|
||
"value": "Responder - S0174"
|
||
},
|
||
{
|
||
"description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1086) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)",
|
||
"meta": {
|
||
"external_id": "S0194",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0194",
|
||
"https://github.com/PowerShellMafia/PowerSploit",
|
||
"http://www.powershellmagazine.com/2014/07/08/powersploit/",
|
||
"http://powersploit.readthedocs.io"
|
||
],
|
||
"synonyms": [
|
||
"PowerSploit"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d",
|
||
"value": "PowerSploit - S0194"
|
||
},
|
||
{
|
||
"description": "[meek](https://attack.mitre.org/software/S0175) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.",
|
||
"meta": {
|
||
"external_id": "S0175",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0175"
|
||
],
|
||
"synonyms": [
|
||
"meek"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
|
||
"value": "meek - S0175"
|
||
},
|
||
{
|
||
"description": "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)",
|
||
"meta": {
|
||
"external_id": "S0195",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0195",
|
||
"https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
|
||
],
|
||
"synonyms": [
|
||
"SDelete"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153",
|
||
"value": "SDelete - S0195"
|
||
},
|
||
{
|
||
"description": "[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)",
|
||
"meta": {
|
||
"external_id": "S0179",
|
||
"mitre_platforms": [
|
||
"Linux"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0179",
|
||
"https://github.com/huntergregal/mimipenguin"
|
||
],
|
||
"synonyms": [
|
||
"MimiPenguin"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27",
|
||
"value": "MimiPenguin - S0179"
|
||
},
|
||
{
|
||
"description": "[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)",
|
||
"meta": {
|
||
"external_id": "S0224",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0224",
|
||
"https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/"
|
||
],
|
||
"synonyms": [
|
||
"Havij"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
|
||
"value": "Havij - S0224"
|
||
},
|
||
{
|
||
"description": "[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)",
|
||
"meta": {
|
||
"external_id": "S0225",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"Windows",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0225",
|
||
"http://sqlmap.org/"
|
||
],
|
||
"synonyms": [
|
||
"sqlmap"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555",
|
||
"value": "sqlmap - S0225"
|
||
},
|
||
{
|
||
"description": "[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that is publicly available on GitHub. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language. (Citation: GitHub QuasarRAT) (Citation: Volexity Patchwork June 2018)",
|
||
"meta": {
|
||
"external_id": "S0262",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0262",
|
||
"https://github.com/quasar/QuasarRAT",
|
||
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
|
||
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
|
||
],
|
||
"synonyms": [
|
||
"QuasarRAT",
|
||
"xRAT"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "da04ac30-27da-4959-a67d-450ce47d9470",
|
||
"value": "QuasarRAT - S0262"
|
||
},
|
||
{
|
||
"description": "[spwebmember](https://attack.mitre.org/software/S0227) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)",
|
||
"meta": {
|
||
"external_id": "S0227",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0227",
|
||
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
|
||
],
|
||
"synonyms": [
|
||
"spwebmember"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4",
|
||
"value": "spwebmember - S0227"
|
||
},
|
||
{
|
||
"description": "[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)",
|
||
"meta": {
|
||
"external_id": "S0332",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0332",
|
||
"https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/",
|
||
"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html",
|
||
"https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html"
|
||
],
|
||
"synonyms": [
|
||
"Remcos"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14",
|
||
"value": "Remcos - S0332"
|
||
},
|
||
{
|
||
"description": "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1086). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)",
|
||
"meta": {
|
||
"external_id": "S0378",
|
||
"mitre_platforms": [
|
||
"Windows",
|
||
"Linux",
|
||
"macOS"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0378",
|
||
"https://github.com/nettitude/PoshC2"
|
||
],
|
||
"synonyms": [
|
||
"PoshC2"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc",
|
||
"value": "PoshC2 - S0378"
|
||
},
|
||
{
|
||
"description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)",
|
||
"meta": {
|
||
"external_id": "S0298",
|
||
"mitre_platforms": [
|
||
"Android"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0298",
|
||
"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
|
||
],
|
||
"synonyms": [
|
||
"Xbot"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"likely\""
|
||
],
|
||
"type": "similar"
|
||
},
|
||
{
|
||
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4",
|
||
"value": "Xbot - S0298"
|
||
},
|
||
{
|
||
"description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1086) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)\n\n",
|
||
"meta": {
|
||
"external_id": "S0363",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0363",
|
||
"https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
|
||
"https://github.com/PowerShellEmpire/Empire",
|
||
"https://github.com/dstepanic/attck_empire"
|
||
],
|
||
"synonyms": [
|
||
"Empire",
|
||
"EmPyre",
|
||
"PowerShell Empire"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3",
|
||
"value": "Empire - S0363"
|
||
},
|
||
{
|
||
"description": "[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)",
|
||
"meta": {
|
||
"external_id": "S0364",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0364",
|
||
"https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp",
|
||
"https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"
|
||
],
|
||
"synonyms": [
|
||
"RawDisk"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079",
|
||
"value": "RawDisk - S0364"
|
||
},
|
||
{
|
||
"description": "[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://attack.mitre.org/software/S0349) is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)",
|
||
"meta": {
|
||
"external_id": "S0349",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0349",
|
||
"https://github.com/AlessandroZ/LaZagne"
|
||
],
|
||
"synonyms": [
|
||
"LaZagne"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b",
|
||
"value": "LaZagne - S0349"
|
||
},
|
||
{
|
||
"description": "[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)",
|
||
"meta": {
|
||
"external_id": "S0357",
|
||
"mitre_platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0357",
|
||
"https://www.secureauth.com/labs/open-source-tools/impacket"
|
||
],
|
||
"synonyms": [
|
||
"Impacket"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "26c87906-d750-42c5-946c-d4162c73fc7b",
|
||
"value": "Impacket - S0357"
|
||
},
|
||
{
|
||
"description": "[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)",
|
||
"meta": {
|
||
"external_id": "S0358",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0358",
|
||
"https://github.com/sensepost/ruler",
|
||
"https://github.com/sensepost/notruler"
|
||
],
|
||
"synonyms": [
|
||
"Ruler"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38",
|
||
"value": "Ruler - S0358"
|
||
},
|
||
{
|
||
"description": "[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)",
|
||
"meta": {
|
||
"external_id": "S0359",
|
||
"mitre_platforms": [
|
||
"Windows"
|
||
],
|
||
"refs": [
|
||
"https://attack.mitre.org/software/S0359",
|
||
"https://ss64.com/nt/nltest.html"
|
||
],
|
||
"synonyms": [
|
||
"Nltest"
|
||
]
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
||
"tags": [
|
||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||
],
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf",
|
||
"value": "Nltest - S0359"
|
||
}
|
||
],
|
||
"version": 13
|
||
}
|