Hugging Face's logo

khoicrtp
/
test_scratch

Model card Files Community
test_scratch / cti-ATT-CK-v13.1 /enterprise-attack /attack-pattern /attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9.json
khoicrtp's picture
khoicrtp
Upload 2298 files
5fe70fd
raw
history blame
6.93 kB
{
"type": "bundle",
"id": "bundle--825fd318-4397-4999-95db-e36e338acf4c",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-04-14T19:38:24.089Z",
"name": "Disk Structure Wipe",
"description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nOn a network devices, adversaries may reformat the file system using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `format`.(Citation: format_cmd_cisco)\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"x_mitre_contributors": [
"Austin Clark, @c2defense"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the <code>\\\\\\\\.\\\\</code> notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.\n\nFor network infrastructure devices, collect AAA logging to monitor for `format` commands being run to erase the file structure and prevent recovery of the device.",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows",
"Network"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"Driver: Driver Load",
"Drive: Drive Modification",
"Drive: Drive Access",
"Command: Command Execution",
"Process: Process Creation"
],
"x_mitre_impact_type": [
"Availability"
],
"type": "attack-pattern",
"id": "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9",
"created": "2020-02-20T22:10:20.484Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1561/002",
"external_id": "T1561.002"
},
{
"source_name": "format_cmd_cisco",
"description": "Cisco. (2022, August 16). format - Cisco IOS Configuration Fundamentals Command Reference. Retrieved July 13, 2022.",
"url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/F_through_K.html#wp2829794668"
},
{
"source_name": "Unit 42 Shamoon3 2018",
"description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
"url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/"
},
{
"source_name": "Palo Alto Shamoon Nov 2016",
"description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
"url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
},
{
"source_name": "FireEye Shamoon Nov 2016",
"description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"
},
{
"source_name": "Kaspersky StoneDrill 2017",
"description": "Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.",
"url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf"
},
{
"source_name": "Microsoft Sysmon v6 May 2017",
"description": "Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.",
"url": "https://docs.microsoft.com/sysinternals/downloads/sysmon"
},
{
"source_name": "Symantec Shamoon 2012",
"description": "Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.",
"url": "https://www.symantec.com/connect/blogs/shamoon-attacks"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
}