cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json

{
    "type": "bundle",
    "id": "bundle--6fcfe567-df5d-4ad4-9d76-87de8dd321be",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-09T18:38:51.471Z",
            "name": "Drive-by Compromise",
            "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "initial-access"
                }
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_deprecated": false,
            "x_mitre_detection": "",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "None"
            ],
            "x_mitre_version": "1.0",
            "x_mitre_data_sources": [
                "Process: Process Creation",
                "Network Traffic: Network Connection Creation",
                "Application Log: Application Log Content",
                "File: File Creation",
                "Network Traffic: Network Traffic Content"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
            "created": "2020-05-21T17:43:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T0817",
                    "external_id": "T0817"
                },
                {
                    "source_name": "Cybersecurity & Infrastructure Security Agency March 2018",
                    "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ",
                    "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ]
        }
    ]
}