test_scratch
/
cti-ATT-CK-v13.1
/mobile-attack
/attack-pattern
/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json
| { | |
| "type": "bundle", | |
| "id": "bundle--a84f6236-d4b3-4c88-a18a-c64a1d57df4b", | |
| "spec_version": "2.0", | |
| "objects": [ | |
| { | |
| "modified": "2023-03-20T18:51:07.651Z", | |
| "name": "Exploitation of Remote Services", | |
| "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device\u2019s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ", | |
| "kill_chain_phases": [ | |
| { | |
| "kill_chain_name": "mitre-mobile-attack", | |
| "phase_name": "lateral-movement" | |
| } | |
| ], | |
| "x_mitre_deprecated": false, | |
| "x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ", | |
| "x_mitre_domains": [ | |
| "mobile-attack" | |
| ], | |
| "x_mitre_is_subtechnique": false, | |
| "x_mitre_platforms": [ | |
| "Android", | |
| "iOS" | |
| ], | |
| "x_mitre_version": "1.2", | |
| "x_mitre_tactic_type": [ | |
| "Post-Adversary Device Access" | |
| ], | |
| "type": "attack-pattern", | |
| "id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", | |
| "created": "2017-10-25T14:48:13.259Z", | |
| "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
| "revoked": false, | |
| "external_references": [ | |
| { | |
| "source_name": "mitre-attack", | |
| "url": "https://attack.mitre.org/techniques/T1428", | |
| "external_id": "T1428" | |
| }, | |
| { | |
| "source_name": "NIST Mobile Threat Catalogue", | |
| "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html", | |
| "external_id": "APP-32" | |
| } | |
| ], | |
| "object_marking_refs": [ | |
| "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
| ], | |
| "x_mitre_attack_spec_version": "3.1.0", | |
| "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" | |
| } | |
| ] | |
| } |