test_scratch
/
cti-ATT-CK-v13.1
/enterprise-attack
/attack-pattern
/attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939.json
| { | |
| "type": "bundle", | |
| "id": "bundle--3f7c4360-03d5-450c-b6c6-dbc60a805074", | |
| "spec_version": "2.0", | |
| "objects": [ | |
| { | |
| "modified": "2023-05-04T18:06:40.829Z", | |
| "name": "Fileless Storage", | |
| "description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.\n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ", | |
| "kill_chain_phases": [ | |
| { | |
| "kill_chain_name": "mitre-attack", | |
| "phase_name": "defense-evasion" | |
| } | |
| ], | |
| "x_mitre_contributors": [ | |
| "Christopher Peacock", | |
| "Denise Tan", | |
| "Mark Wee", | |
| "Simona David", | |
| "Xavier Rousseau" | |
| ], | |
| "x_mitre_deprecated": false, | |
| "x_mitre_detection": "", | |
| "x_mitre_domains": [ | |
| "enterprise-attack" | |
| ], | |
| "x_mitre_is_subtechnique": true, | |
| "x_mitre_platforms": [ | |
| "Windows" | |
| ], | |
| "x_mitre_version": "1.0", | |
| "x_mitre_data_sources": [ | |
| "WMI: WMI Creation", | |
| "Windows Registry: Windows Registry Key Creation" | |
| ], | |
| "type": "attack-pattern", | |
| "id": "attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939", | |
| "created": "2023-03-23T19:55:25.546Z", | |
| "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
| "revoked": false, | |
| "external_references": [ | |
| { | |
| "source_name": "mitre-attack", | |
| "url": "https://attack.mitre.org/techniques/T1027/011", | |
| "external_id": "T1027.011" | |
| }, | |
| { | |
| "source_name": "SecureList Fileless", | |
| "description": "Legezo, D. (2022, May 4). A new secret stash for \u201cfileless\u201d malware. Retrieved March 23, 2023.", | |
| "url": "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/" | |
| }, | |
| { | |
| "source_name": "Microsoft Fileless", | |
| "description": "Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.", | |
| "url": "https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats" | |
| } | |
| ], | |
| "object_marking_refs": [ | |
| "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
| ], | |
| "x_mitre_attack_spec_version": "3.1.0", | |
| "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" | |
| } | |
| ] | |
| } |