test_scratch
/
cti-ATT-CK-v13.1
/enterprise-attack
/attack-pattern
/attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d.json
{ | |
"type": "bundle", | |
"id": "bundle--81d34ebb-d5ee-48a2-ae11-59716c673405", | |
"spec_version": "2.0", | |
"objects": [ | |
{ | |
"modified": "2023-03-30T21:01:37.568Z", | |
"name": "Adversary-in-the-Middle", | |
"description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "mitre-attack", | |
"phase_name": "credential-access" | |
}, | |
{ | |
"kill_chain_name": "mitre-attack", | |
"phase_name": "collection" | |
} | |
], | |
"x_mitre_attack_spec_version": "2.1.0", | |
"x_mitre_contributors": [ | |
"Mayuresh Dani, Qualys", | |
"Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project", | |
"NEC" | |
], | |
"x_mitre_deprecated": false, | |
"x_mitre_detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.", | |
"x_mitre_domains": [ | |
"enterprise-attack" | |
], | |
"x_mitre_is_subtechnique": false, | |
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
"x_mitre_platforms": [ | |
"Windows", | |
"macOS", | |
"Linux", | |
"Network" | |
], | |
"x_mitre_version": "2.2", | |
"x_mitre_data_sources": [ | |
"Application Log: Application Log Content", | |
"Network Traffic: Network Traffic Content", | |
"Service: Service Creation", | |
"Windows Registry: Windows Registry Key Modification", | |
"Network Traffic: Network Traffic Flow" | |
], | |
"type": "attack-pattern", | |
"id": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", | |
"created": "2020-02-11T19:07:12.114Z", | |
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
"revoked": false, | |
"external_references": [ | |
{ | |
"source_name": "mitre-attack", | |
"url": "https://attack.mitre.org/techniques/T1557", | |
"external_id": "T1557" | |
}, | |
{ | |
"source_name": "dns_changer_trojans", | |
"description": "Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.", | |
"url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats" | |
}, | |
{ | |
"source_name": "volexity_0day_sophos_FW", | |
"description": "Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.", | |
"url": "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/" | |
}, | |
{ | |
"source_name": "taxonomy_downgrade_att_tls", | |
"description": "Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.", | |
"url": "https://arxiv.org/abs/1809.05681" | |
}, | |
{ | |
"source_name": "ad_blocker_with_miner", | |
"description": "Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.", | |
"url": "https://securelist.com/ad-blocker-with-miner-included/101105/" | |
}, | |
{ | |
"source_name": "mitm_tls_downgrade_att", | |
"description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.", | |
"url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" | |
}, | |
{ | |
"source_name": "Rapid7 MiTM Basics", | |
"description": "Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.", | |
"url": "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/" | |
}, | |
{ | |
"source_name": "tlseminar_downgrade_att", | |
"description": "Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.", | |
"url": "https://tlseminar.github.io/downgrade-attacks/" | |
}, | |
{ | |
"source_name": "ttint_rat", | |
"description": "Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.", | |
"url": "https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/" | |
} | |
], | |
"object_marking_refs": [ | |
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
] | |
} | |
] | |
} |