misp-galaxy/clusters/mitre-enterprise-attack-tool.json
2018-10-17 08:26:45 +02:00

1197 lines
43 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"authors": [
"MITRE"
],
"description": "Name of ATT&CK software",
"name": "Enterprise Attack - Tool",
"source": "https://github.com/mitre/cti",
"type": "mitre-enterprise-attack-tool",
"uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e",
"values": [
{
"description": "is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)\n\nAliases: Winexe",
"meta": {
"external_id": "S0191",
"refs": [
"https://attack.mitre.org/wiki/Software/S0191",
"https://github.com/skalkoto/winexe/",
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
],
"synonyms": [
"Winexe"
]
},
"related": [
{
"dest-uuid": "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d",
"value": "Winexe - S0191"
},
{
"description": "at is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At)\n\nAliases: at, at.exe",
"meta": {
"external_id": "S0110",
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
],
"synonyms": [
"at",
"at.exe"
]
},
"related": [
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
"value": "at - S0110"
},
{
"description": "route can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)\n\nAliases: route, route.exe",
"meta": {
"external_id": "S0103",
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
],
"synonyms": [
"route",
"route.exe"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
"value": "route - S0103"
},
{
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)\n\nAliases: Tasklist",
"meta": {
"external_id": "S0057",
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"synonyms": [
"Tasklist"
]
},
"related": [
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"value": "Tasklist - S0057"
},
{
"description": "Windows Credential Editor is a password dumping tool. (Citation: Amplia WCE)\n\nAliases: Windows Credential Editor, WCE",
"meta": {
"external_id": "S0005",
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
"http://www.ampliasecurity.com/research/wcefaq.html"
],
"synonyms": [
"Windows Credential Editor",
"WCE"
]
},
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"value": "Windows Credential Editor - S0005"
},
{
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)\n\nAliases: Responder",
"meta": {
"external_id": "S0174",
"refs": [
"https://attack.mitre.org/wiki/Software/S0174",
"https://github.com/SpiderLabs/Responder"
],
"synonyms": [
"Responder"
]
},
"related": [
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
"value": "Responder - S0174"
},
{
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)\n\nAliases: schtasks, schtasks.exe",
"meta": {
"external_id": "S0111",
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
],
"synonyms": [
"schtasks",
"schtasks.exe"
]
},
"related": [
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
"value": "schtasks - S0111"
},
{
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)\n\nAliases: UACMe",
"meta": {
"external_id": "S0116",
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
],
"synonyms": [
"UACMe"
]
},
"related": [
{
"dest-uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
"value": "UACMe - S0116"
},
{
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)\n\nAliases: ifconfig",
"meta": {
"external_id": "S0101",
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"synonyms": [
"ifconfig"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
"value": "ifconfig - S0101"
},
{
"description": "is a command line tool used to create and manage BITS Jobs. (Citation: Microsoft BITSAdmin)\n\nAliases: BITSAdmin",
"meta": {
"external_id": "S0190",
"refs": [
"https://attack.mitre.org/wiki/Software/S0190",
"https://msdn.microsoft.com/library/aa362813.aspx"
],
"synonyms": [
"BITSAdmin"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "64764dc6-a032-495f-8250-1e4c06bdc163",
"value": "BITSAdmin - S0190"
},
{
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)\n\nAliases: Mimikatz\n\nContributors: Vincent Le Toux",
"meta": {
"external_id": "S0002",
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
"https://github.com/gentilkiwi/mimikatz",
"https://adsecurity.org/?page%20id=1821"
],
"synonyms": [
"Mimikatz"
]
},
"related": [
{
"dest-uuid": "7f3a035d-d83a-45b8-8111-412aa8ade802",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"value": "Mimikatz - S0002"
},
{
"description": " (Citation: xCmd) is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. (Citation: xCmd)\n\nAliases: (Citation: xCmd)",
"meta": {
"external_id": "S0123",
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
],
"synonyms": [
"xCmd"
]
},
"related": [
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
"value": "xCmd - S0123"
},
{
"description": "MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)\n\nAliases: MimiPenguin\n\nContributors: Vincent Le Toux",
"meta": {
"external_id": "S0179",
"refs": [
"https://attack.mitre.org/wiki/Software/S0179",
"https://github.com/huntergregal/mimipenguin"
],
"synonyms": [
"MimiPenguin"
]
},
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27",
"value": "MimiPenguin - S0179"
},
{
"description": "is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)\n\nAliases: SDelete",
"meta": {
"external_id": "S0195",
"refs": [
"https://attack.mitre.org/wiki/Software/S0195",
"https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
],
"synonyms": [
"SDelete"
]
},
"related": [
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153",
"value": "SDelete - S0195"
},
{
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)\n\nAliases: Systeminfo, systeminfo.exe",
"meta": {
"external_id": "S0096",
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"synonyms": [
"Systeminfo",
"systeminfo.exe"
]
},
"related": [
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
"value": "Systeminfo - S0096"
},
{
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)\n\nAliases: netsh, netsh.exe",
"meta": {
"external_id": "S0108",
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
],
"synonyms": [
"netsh",
"netsh.exe"
]
},
"related": [
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"value": "netsh - S0108"
},
{
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"meta": {
"external_id": "S0105",
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
],
"synonyms": [
"dsquery",
"dsquery.exe"
]
},
"related": [
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
"value": "dsquery - S0105"
},
{
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)\n\nAliases: gsecdump",
"meta": {
"external_id": "S0008",
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
"https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump%20v2.0b5"
],
"synonyms": [
"gsecdump"
]
},
"related": [
{
"dest-uuid": "8410d208-7450-407d-b56c-e5c1ced19632",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
"value": "gsecdump - S0008"
},
{
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)\n\nAliases: Ping, ping.exe",
"meta": {
"external_id": "S0097",
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"synonyms": [
"Ping",
"ping.exe"
]
},
"related": [
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"value": "Ping - S0097"
},
{
"description": "Fgdump is a Windows password hash dumper. (Citation: Mandiant APT1)\n\nAliases: Fgdump",
"meta": {
"external_id": "S0120",
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Fgdump"
]
},
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
"value": "Fgdump - S0120"
},
{
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)\n\nAliases: Lslsass",
"meta": {
"external_id": "S0121",
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Lslsass"
]
},
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b",
"value": "Lslsass - S0121"
},
{
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)\n\nAliases: Pass-The-Hash Toolkit",
"meta": {
"external_id": "S0122",
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Pass-The-Hash Toolkit"
]
},
"related": [
{
"dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
"value": "Pass-The-Hash Toolkit - S0122"
},
{
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)\n\nAliases: FTP, ftp.exe",
"meta": {
"external_id": "S0095",
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
"https://en.wikipedia.org/wiki/File%20Transfer%20Protocol"
],
"synonyms": [
"FTP",
"ftp.exe"
]
},
"related": [
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
"value": "FTP - S0095"
},
{
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)\n\nAliases: ipconfig, ipconfig.exe",
"meta": {
"external_id": "S0100",
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"synonyms": [
"ipconfig",
"ipconfig.exe"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"value": "ipconfig - S0100"
},
{
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)\n\nAliases: nbtstat, nbtstat.exe",
"meta": {
"external_id": "S0102",
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
],
"synonyms": [
"nbtstat",
"nbtstat.exe"
]
},
"related": [
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
"value": "nbtstat - S0102"
},
{
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"meta": {
"external_id": "S0040",
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
],
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
]
},
"related": [
{
"dest-uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
"value": "HTRAN - S0040"
},
{
"description": "Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)\n\nAliases: Tor",
"meta": {
"external_id": "S0183",
"refs": [
"https://attack.mitre.org/wiki/Software/S0183",
"http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf"
],
"synonyms": [
"Tor"
]
},
"related": [
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
"value": "Tor - S0183"
},
{
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)\n\nAliases: netstat, netstat.exe",
"meta": {
"external_id": "S0104",
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"synonyms": [
"netstat",
"netstat.exe"
]
},
"related": [
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
"value": "netstat - S0104"
},
{
"description": "pwdump is a credential dumper. (Citation: Wikipedia pwdump)\n\nAliases: pwdump",
"meta": {
"external_id": "S0006",
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"synonyms": [
"pwdump"
]
},
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700",
"value": "pwdump - S0006"
},
{
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry. (Citation: Mandiant APT1)\n\nAliases: Cachedump",
"meta": {
"external_id": "S0119",
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Cachedump"
]
},
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
"value": "Cachedump - S0119"
},
{
"description": "Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)\n\nAliases: Forfiles\n\nContributors: Matthew Demaske, Adaptforward",
"meta": {
"external_id": "S0193",
"refs": [
"https://attack.mitre.org/wiki/Software/S0193",
"https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)"
],
"synonyms": [
"Forfiles"
]
},
"related": [
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2",
"value": "Forfiles - S0193"
},
{
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\nNet has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"meta": {
"external_id": "S0039",
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914",
"http://windowsitpro.com/windows/netexe-reference"
],
"synonyms": [
"Net",
"net.exe"
]
},
"related": [
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"value": "Net - S0039"
},
{
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)\n\nAliases: PsExec",
"meta": {
"external_id": "S0029",
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
],
"synonyms": [
"PsExec"
]
},
"related": [
{
"dest-uuid": "6dd05630-9bd8-11e8-a8b9-47ce338a4367",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
"value": "PsExec - S0029"
},
{
"description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)\n\nAliases: certutil, certutil.exe",
"meta": {
"external_id": "S0160",
"refs": [
"https://attack.mitre.org/wiki/Software/S0160",
"https://technet.microsoft.com/library/cc732443.aspx"
],
"synonyms": [
"certutil",
"certutil.exe"
]
},
"related": [
{
"dest-uuid": "3e205e84-9f90-4b4b-8896-c82189936a15",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
"value": "certutil - S0160"
},
{
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)\n\nAliases: Arp, arp.exe",
"meta": {
"external_id": "S0099",
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
],
"synonyms": [
"Arp",
"arp.exe"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
"value": "Arp - S0099"
},
{
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)).\n\nAliases: cmd, cmd.exe",
"meta": {
"external_id": "S0106",
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
"https://technet.microsoft.com/en-us/library/bb490880.aspx",
"https://technet.microsoft.com/en-us/library/cc755121.aspx",
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx"
],
"synonyms": [
"cmd",
"cmd.exe"
]
},
"related": [
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"value": "cmd - S0106"
},
{
"description": "Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)\n\nAliases: Havij",
"meta": {
"external_id": "S0224",
"refs": [
"https://attack.mitre.org/wiki/Software/S0224",
"https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/"
],
"synonyms": [
"Havij"
]
},
"related": [
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
"value": "Havij - S0224"
},
{
"description": "PowerSploit is an open source, offensive security framework compromised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)\n\nAliases: PowerSploit",
"meta": {
"external_id": "S0194",
"refs": [
"https://attack.mitre.org/wiki/Software/S0194",
"https://github.com/PowerShellMafia/PowerSploit",
"http://www.powershellmagazine.com/2014/07/08/powersploit/",
"http://powersploit.readthedocs.io"
],
"synonyms": [
"PowerSploit"
]
},
"related": [
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d",
"value": "PowerSploit - S0194"
},
{
"description": "meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.\n\nAliases: meek",
"meta": {
"external_id": "S0175",
"refs": [
"https://attack.mitre.org/wiki/Software/S0175"
],
"synonyms": [
"meek"
]
},
"related": [
{
"dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
"value": "meek - S0175"
},
{
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as Reg are known to be used by persistent threats. (Citation: Windows Commands JPCERT)\n\nAliases: Reg, reg.exe",
"meta": {
"external_id": "S0075",
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
],
"synonyms": [
"Reg",
"reg.exe"
]
},
"related": [
{
"dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"value": "Reg - S0075"
},
{
"description": "spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)\n\nAliases: spwebmember",
"meta": {
"external_id": "S0227",
"refs": [
"https://attack.mitre.org/wiki/Software/S0227",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"synonyms": [
"spwebmember"
]
},
"related": [
{
"dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4",
"value": "spwebmember - S0227"
},
{
"description": "Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) Pupy is publicly available on GitHub. (Citation: GitHub Pupy)\n\nAliases: Pupy",
"meta": {
"external_id": "S0192",
"refs": [
"https://attack.mitre.org/wiki/Software/S0192",
"https://github.com/n1nj4sec/pupy"
],
"synonyms": [
"Pupy"
]
},
"related": [
{
"dest-uuid": "bdb420be-5882-41c8-b439-02bbef69d83f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
"value": "Pupy - S0192"
},
{
"description": "sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)\n\nAliases: sqlmap",
"meta": {
"external_id": "S0225",
"refs": [
"https://attack.mitre.org/wiki/Software/S0225",
"http://sqlmap.org/"
],
"synonyms": [
"sqlmap"
]
},
"related": [
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555",
"value": "sqlmap - S0225"
},
{
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike\n\nContributors: Josh Abraham",
"meta": {
"external_id": "S0154",
"refs": [
"https://attack.mitre.org/wiki/Software/S0154",
"https://cobaltstrike.com/downloads/csmanual38.pdf"
],
"synonyms": [
"Cobalt Strike"
]
},
"related": [
{
"dest-uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3da22160-12d9-4d27-a99f-338e8de3844a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"value": "Cobalt Strike - S0154"
},
{
"description": "Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)\n\nAliases: Invoke-PSImage\n\nContributors: Christiaan Beek, @ChristiaanBeek",
"meta": {
"external_id": "S0231",
"refs": [
"https://attack.mitre.org/wiki/Software/S0231",
"https://github.com/peewpw/Invoke-PSImage"
],
"synonyms": [
"Invoke-PSImage"
]
},
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f",
"value": "Invoke-PSImage - S0231"
}
],
"version": 7
}