test_scratch
/
cti-ATT-CK-v13.1
/enterprise-attack
/attack-pattern
/attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104.json
{ | |
"type": "bundle", | |
"id": "bundle--463ee45a-ef4c-439a-9a50-07465757e525", | |
"spec_version": "2.0", | |
"objects": [ | |
{ | |
"modified": "2023-04-12T23:35:40.261Z", | |
"name": "System Owner/User Discovery", | |
"description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "mitre-attack", | |
"phase_name": "discovery" | |
} | |
], | |
"x_mitre_contributors": [ | |
"Austin Clark, @c2defense" | |
], | |
"x_mitre_deprecated": false, | |
"x_mitre_detection": "`System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nFor network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations.", | |
"x_mitre_domains": [ | |
"enterprise-attack" | |
], | |
"x_mitre_is_subtechnique": false, | |
"x_mitre_platforms": [ | |
"Linux", | |
"macOS", | |
"Windows", | |
"Network" | |
], | |
"x_mitre_version": "1.4", | |
"x_mitre_data_sources": [ | |
"Process: OS API Execution", | |
"Process: Process Access", | |
"Windows Registry: Windows Registry Key Access", | |
"Active Directory: Active Directory Object Access", | |
"Network Traffic: Network Traffic Content", | |
"File: File Access", | |
"Process: Process Creation", | |
"Command: Command Execution", | |
"Network Traffic: Network Traffic Flow" | |
], | |
"type": "attack-pattern", | |
"id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", | |
"created": "2017-05-31T21:30:35.733Z", | |
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
"revoked": false, | |
"external_references": [ | |
{ | |
"source_name": "mitre-attack", | |
"url": "https://attack.mitre.org/techniques/T1033", | |
"external_id": "T1033" | |
}, | |
{ | |
"source_name": "show_ssh_users_cmd_cisco", | |
"description": "Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.", | |
"url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html" | |
}, | |
{ | |
"source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", | |
"description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", | |
"url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A" | |
} | |
], | |
"object_marking_refs": [ | |
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
], | |
"x_mitre_attack_spec_version": "3.1.0", | |
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" | |
} | |
] | |
} |